14 DAY TRIAL // If you’ve been using the keyboard app developed by Ai.Type there’s a good chance that your personal information has been exposed online, as security researchers discovered that the company silently collected data and stored it in a misconfigured MongoDB database.
Security vendor Kromtech estimates that sensitive data belonging to approximately 31 million users was included in the database, with found entries proving the keyboard app logged pretty much any keystroke no matter if it was just standard text or passwords.
While the developing company says it doesn’t collect information from password fields and all data is encrypted, ZDNet reveals the database discovered by Kromtech included everything from users’ full names, email addresses, location, device make, model, and IMEI, screen resolution, and Android versions. More personal information collected from social media was also found, like dates of birth, genders, profile photos, contacts, and even passwords.
Kromtech says the 577 GB database was exposed online and was freely available to anyone with an Internet connection, with no less than 31,293,959 records discovered.
There were 6,435,813 entries with information collected from contact books, including names and phone numbers, and the security vendor estimates the keyboard app stored more than 373 million records on the parent company’s servers.
Keyboard apps requiring full access
In most of the cases, third-party keyboard apps require full access to typed data, and Android warns that this could be a security risk, though users don’t normally expect their information to be collected and exposed online.
While some companies sell information collected from users, it’s not clear if Ai.Type did this, though the company does offer a paid version of its keyboard app for those who don’t want their data to be uploaded to its servers.
“Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user. It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices,” Bob Diachenko, head of communications at Kromtech Security Center, said.
The keyboard app from Ai.Type is also available on iPhone, and also requires full access, but it’s not yet clear if the data collection also impacted Apple users or only those on Android.