Third-Party Keyboard App Leaks Personal Details of Over 31 Million Android Users

Cybersecurity experts announce that a virtual keyboard developer has exposed sensitive data collected from its users to misuse. The Kromtech Security Center have discovered vast amounts of customer files that have leaked online and have been publicly available to anyone with access to the Internet. Apparently, this has become possible through a misconfigured MongoDB database, while the leaked data belongs to the Israeli company AiType. The Tel Aviv-based startup has failed to protect its servers with a password, exposing thus all stored customer records to data theft and misuse. The user details in question have been collected by the company's personalized keyboard application for smartphones and tablets. Although the app is available for both Android and iOS devices, the issue concerns only Android users.

Google Play Store download statistics shows that the app has been downloaded around 40 million times, and the trend goes upwards. At the same time, the leaked database contains data of over 31 million customers that have at some point used the Ai.Type on-screen keyboard. It was only after the researchers from Kromtech Security Center attempted to contact the company's owner a few times that Ai.Type acknowledged the security lapse and secured its servers.

It is common for on-screen keyboards to require high-level permissions, and Android warns its users that everything they type on their mobile devices could be collected by such apps, including personal details, passwords and credit card numbers. Ai.Type makes no exception, yet in this case, the company has not managed to hold its promise that everything entered through their virtual keyboard would remain encrypted and private.

The analysis of the leaked database shows that some customer records are more detailed than others, depending on whether the device has the free or the paid version of the software. However, the basic information collected from each user includes e-mail addresses, full name, precise location, and for how long the app has been installed on the device. The more complete records also contain a list of the user's contacts, along with details from social media apps, like gender, date of birth, profile photos and passwords. Additionally, Ai.Type has gathered precise data about the device's model, configuration, as well as a list of other installed apps. The total size of the exposed database is 577GB with 31,293,959 records, while the total number of records stored on the company's servers is around 373 million.

So far, there is no evidence that Ai.Type has sold the data collected from its users to third parties, though it's typically what free versions of the apps target. Here, it turns out that even paid users of the Ai.Type keyboard have not been not safe since theoretically everyone who has downloaded and installed the app could have their data exposed to all kinds of cyber fraud and misuse.