Virtual Keyboard App Exposed Data From 31 Million Users

Virtual keyboard app developer Ai.Type accidentally exposed the personal data of 31 million users, including their phone contacts, co-ordinate to security researchers.

The files were stored in a MongoDB database that was configured then that anyone online could access it. Researchers at Kromtech Security Center discovered the problem and notified Ai.Type last month.

SecurityWatch In an email, Ai.Blazon'southward CEO Eitan Fitusi said the exposed database is now secure, and information technology only contained "basic data," similar keyboard use patterns and advertising monitoring.

According to Kromtech, though, the client registration files for the 31 million users also contained the device proper name, the IMEI number, location details based on IP accost, and links to the social media contour associated with the smartphone. Ai.Type was also collecting data from user'south contact lists, according to the researchers. In full, the database had 373 meg phone numbers stored within.

However, Fitusi said the app is not snooping on users. The 577GB worth of files stored in the database is statistical information the app pulls from customers to help the virtual keyboard'south AI-powered prediction engine to run, he said.

Ai.Type uses the contact information to predict contact names, numbers, and emails. "We have a call or transport mail buttons on the keyboard...then you can send the number or telephone call the person in ane click," he said. Near 10 percent of that data is sent to the server for prediction purposes, but it'southward not shared with any third party.

Kromtech said information technology found no signs that malicious actors ever accessed the exposed files, but hackers have been on the chase for vulnerable MongoDB databases, wiping them, and demanding a ransom.

Ai.Type, which is based in State of israel, has over 60 million users, and offers an Android and iOS version of its keyboard. Android users who install the complimentary version of the app might exist scared abroad by an alert that says the keyboard may collect "all the text you blazon," including passwords and credit card numbers. But Fitusi said this warning is issued by the Android Bone, not the app itself, and will announced for any culling input method you try to install.

"We are not collecting\storing\sending any countersign or credit menu information," Fitusi added. When the keyboard does collect statistical information virtually keyboard strokes, it is not tied to any identifiable user information, he said.

Kromtech said it didn't find whatsoever keystroke data, passwords, or credit card data in the exposed database. But information technology was still alarmed that the keyboard app was collecting customers' phone contact list data.

"Information technology raises the question once again if it is actually worth information technology for consumers to submit their data in exchange for free or discounted products," the company said in its blog mail service.