Personal Data of Over 31 Million People Leaked Via Popular Virtual Keyboard App
A popular virtual keyboard app has caused leakage of personal data belonging to over 31 million customers.
This data breach has happened after the app developer failed in securing the database server, which is owned by Eitan Fitusi, co-founder of the customizable and personalizable on-screen keyboard AI.type. AI.type, which is available on both Android and iOS, has over 40 million users worldwide.
The notable thing, however, is that the server was not protected with a password, thereby allowing an intruder to access the company’s database, which obviously sensitive personal data of the users.
It’s the Kromtech Security Center that has discovered this data leak. Bob Diachenko, security enthusiast and Kromtech’s Chief Communication Officer, has written a detailed post on the data leak. The blog post says- “The Kromtech Security Center has discovered a massive amount of customer files leaked online and publically available. Researchers were able to access the data and details of 31,293,959 users. The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.”
More than 577 GB of sensitive data has thus been exposed, to anyone who wishes to steal it and misuse it. The Kromtech blog post explains how the data leak occurred- “Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to anyone with an internet connection. This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or datamined from their phone or tablet. MongoDB is a common platform used by many well known companies and organizations to store data, but a simple misconfiguration could allow the database to be easily exposed online. One flaw is that the default settings of a MongoDB database would allow anyone with an internet connection to browse the databases, download them, or even worst case scenario to even delete the data stored on them.”
The exposed data is highly sensitive and contains all personal details of users who installed the AI.type virtual keyboard. The data includes name, phone number, date of birth, device details, mobile network details, screen resolution details, details regarding the Android version, IMSI number and IMEI number, emails associated with the phone, country details, information associated with the users’ social media profiles, photos saved in Google+, Facebook etc, IP (if available) etc.
ZDNet has come out with a detailed post on the data breach, which states- “The data was only secured after several attempts to contact Fitusi, who acknowledged the security lapse this weekend. The server has since been secured, but Fitusi did not respond when we asked for comment.”
The ZDNet post says that the exposed data even seems to have details about email addresses and phone numbers of contacts on users’ phones, lists of apps such as banking apps and dating apps etc. The post also points out that though AI.type says on its website that privacy is its main concern and that any text entered on the keyboard would remain encrypted and private, the database wasn’t encrypted. The post further says- “We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear…The company also promises to “never share your data or learn from password fields,” but we saw one table containing more than 8.6 million entries of text that had been entered using the keyboard, which included private and sensitive information, like phone numbers, web search terms, and in some cases concatenated email addresses and corresponding passwords.”
The Kromtech Security Center post includes a comment from Chief Communication Officer Bob Diachenko, who says that such an incident “…raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.”
It also includes a detailed comment from Alex Kernishniuk, VP of strategic alliances, Kromtech, who states that this “…is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.”
Kevin Jones167 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others. He holds prestigious certifications like OSWP, OSCP, ITIL. His goals in life are simple - to finish her maiden business venture on Cybersecurity, and then to keep writing books for as long as possibly can and never miss a flight that makes the news.