Keyboard app left details of 31m users on unsecured server

Personal data belonging to over 31 million customers of a popular virtual keyboard app has leaked online.

Security researchers say the AI.type app's developer failed to secure the database server containing everything from user's names to their locations, and the contents of their electronic address book.

The app, available on both Android and iOS, has over  40 million users across the world.

Scroll down for video 

Security researchers say the AI.type app's developer failed to secure the database server containing everything from user's names to their locations.

Security researchers say the AI.type app's developer failed to secure the database server containing everything from user's names to their locations.

WHAT WAS LEAKED 

 Each record contains a wealth of data, including:

Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).

Almost 6.5 million records also contained data collected from users' contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users' phones, which include all their contacts saved/synced on linked Google account.

 

Security researchers at the Kromtech Security Center the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data from 31,293,959 users.

The server is owned by Eitan Fitusi, co-founder of AI.type, a customizable and personalizable on-screen keyboard. 

The data was only secured after the firm made several attempts to contact Fitusi, who acknowledged the security lapse this weekend. 

The server has since been secured, but Fitusi did not respond when asked for comment. 

AI.type says on its website that user's privacy 'is our main concern.' 

Any text entered on the keyboard 'stays encrypted and private,' says the company.

However, when researchers installed Ai.Type they were shocked to discover that users must allow 'Full Access' to all of their data stored on the testing iPhone, including all keyboard data past and present. 

'This is a shocking amount of information on their users who assume they are getting a simple keyboard application,' the firm said.

Bob Diachenko, head of communications at Kromtech Security Center, said: 'Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. 

'This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user. 

'It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.'

When researchers installed Ai.Type they were shocked to discover that users must allow “Full Access” to all of their data stored on the testing iPhone, including all keyboard data past and present.

When researchers installed Ai.Type they were shocked to discover that users must allow 'Full Access' to all of their data stored on the testing iPhone, including all keyboard data past and present.

ZDNet obtained a portion of the database to verify.

It found each record contains a basic collected data, including the user's full name, email addresses, and how many days the app was installed. 

It also included a user's precise location, including their city and country.

The app, available for both Android and iOS, has a free version, which per its privacy policy collects more data than the paid version, which the company uses to monetize with advertising.

It is believes the database only contained details of Android users

More complete records also include the device's IMSI and IMEI number, the device's make and model, its screen resolution, and the device's specific Android version.

A large portion of the records also included the user's phone number and the name of their cell phone provider, and in some cases their IP address and name of their internet provider if connected to Wi-Fi. 

6,435,813 records that contained data collected from users’ contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account.

6,435,813 records that contained data collected from users’ contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account.

Many records contain specific details of a user's public Google profile, including email addresses, dates of birth, genders, and profile photos.

ZDNet said it also found several tables of contact data uploaded from a user's phone, one with 10.7 million email addresses and another with 374.6 million phone numbers.

Alex Kernishniuk of Kromtech said 'This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.

'It is clear that data is valuable and everyone wants access to it for different reasons.

'Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways. '