Keyboard app security gaffe exposes 31mn users' data including passwords, web searches

Joanna Estrada
December 6, 2017

"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online", he told ZDNet. He said it contained secondary information that was "mostly statistical behavior information, about user use patterns of the keyboard".

Interestingly, the free version of AI.type was found to have collected more data than the paid version. It also serves as a reminder to not reuse passwords, as one being exposed can lead to multiple accounts being compromised.

AI.type co-founder Eitan Fitusi says the company has secured the database since revelation of the leak, but hasn't yet commented on the issue.

Other records are significantly more detailed. One of the leaked database tables includes 10.7 million email addresses from contact data.

It also included a user's precise location, including their city and country. According to the report, in addition to the 31.2 million users affected by the leak, another database was found containing an additional 753,456 users. Data collected from free users includes their phone's unique IMSI and IMEI numbers, SIM cards and mobile networks, and what version of Android the phone has. Accompanying the numbers were the make and model of the device, its screen resolution and the version of Android it was running. Another tablet contains 374.6 million phone numbers.

A large portion of the records also included the user's phone number and the name of their cell phone provider, and in some cases their IP address and name of their internet provider if connected to Wi-Fi. Information included in the Google profiles entails email addresses, profile photos and dates of birth, some of which lists of every app installed on a person's phone.

Kromtech added that over 6 million records also contained data from users' contact books, "in total more than 373 million records scraped from registered users' phones, which include all their contacts saved/synced on linked Google account".

It doesn't stop there as the app also seemingly had access to a user's contacts. While the app is available for both iOS and Android, the leaked data seems to relate only to Android users.

Nearly 6.5 million records also contained data collected from users' contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users' phones, which include all their contacts saved/synced on linked Google account.

For users of AI.type, the text records could be troublesome, as it means logging in to any site or service with AI.type installed may have revealed that information. The report explains that the data wasn't protected with a password, making it easily accessible to employees...

While it may have tens of millions of users all over the world, the app's developers failed to protect the database with a password, enabling anyone to access this database that is over 577 GB heavy. The unprotected database from AI.type reveals just how much detail the app can grab from users without their explicit knowledge.

Other reports by Click Lancashire

Discuss This Article