Unfortunately, it happens again and again. Companies to whom we entrust data do not properly secure them, and then they end up in the hands of people who do not want to make this data accessible. Such things are always particularly critical when it comes to very sensitive data. A leak of user data through a keyboard app makes listen, because on the keyboard of the smartphone finally a lot of information is entered.
ai.type is such a third-party keyboard, claiming to have more than 40 million downloads of the keyboard. And you have 577 GB of data stored in a Mongo database, which then again not secured. Was just there on the server around and could be viewed by everyone. The whole thing was discovered by the Kromtech Security Center.
In this case, of course, it is interesting to know if or how the data is backed up and what it is about. The bad news: There was no encryption or other security measures, and a lot of user data was also stored. For example, all contacts that a user has. But even the user himself is very transparent through the data collection.
Of 31,293,959 users, information such as mobile phone number, owner's name, device name and model, wireless service provider, IMSI, IMEI, emails, and much more has been stored and is now in circulation. Also, well over 6.4 million records containing information from users' address books have been discovered. In total, more than 373 million "records" of user smartphones were tapped and stored in the database.
Also information about using the keyboard can be found in the entries, how many words were typed in the cut and something. According to BSI also credit card data as well as keystrokes were stored. The BSI also advises to change passwords of accounts used with the keyboard.
The fact that public access to the database is an unintentional error is evidenced by the fact that a possible attacker could not only read the database, but also delete content directly. How it can come to such a mistake, if one has to take care of data of over 30 million users, is beyond me.
Similarly, why not write a word about encrypting the data. It is one thing to get to one database, another one to be able to read it out without problems. But that's the way it is in life when the human factor plays along: mistakes happen, even if they should not happen – especially in such sensitive areas.
Unclear so far is why ai.type collects this amount of data at all. There is also information that the user does not expect to be needed by a keyboard app.
Did you use the keyboard? Will you continue to use it? By the way, this is available for iOS and Android, if someone wants to risk a look, there was also an update.