Virtual Keyboard App Exposed Data From 31 Million Users


Another data leak case has surfaced wherein the personal details of almost 31 million Android users using the AI.type app has been exposed on an online open database.

ZDNet's report found, however, that the company had collected more than 8.6 million text entries collected from the keyboard, including phone numbers, web search terms, and concatenated emails and passwords.

Ai.type's own figures state that the app has been downloaded about 40 million times on the Google Play store since its launch in 2010.

In what appears to have been an alarmingly elementary error, the server reportedly had no password protection, opening up the data to internet users who could then browse, download, or even delete the information held on it. Users of the app may want to think twice about typing any sensitive information while using the app, as it is likely to be sucked up and stored in a server.

According to Kromtech, though, the client registration files for the 31 million users also contained the device name, the IMEI number, location details based on IP address, and links to the social media profile associated with the smartphone.

It also included a user's precise location, including their city and country.

For reasons now unclear, some of the leaked information is reported to also include details linked to Google profiles, such as birth dates, genders, and profile pictures. The app has a free version, which per its privacy policy collects more data than the paid version, which the company uses to monetize with advertising. "This also exposed just how much data they access and how they obtain a treasure trove of data that average users not do expect to be extracted or data-mined from their phone or tablet".

For users who are anxious they may have typed a password or other sensitive information while using the app, there is little recourse as it's impossible to know for sure if that data was recorded and exposed. ZDNet said it also uncovered the contact details from user's address books.

Several tables contained lists of each app installed on a user's device, such as banking apps and dating apps.

"It is clear that data is valuable and everyone wants access to it for different reasons", he said.

Alex Kernishniuk of Kromtech said 'This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices. Every single successful cyber-attack or developers failing to secure cloud data exposes millions of credentials and personal details of users, but many mobile phone users are not aware of such risks. However, he outlined that most of the data was insensitive.

The seven-year-old company also claims that anything typed using its keyboards "stays encrypted and private".

"This presents a real danger for cybercriminals who could commit fraud or scams using such detailed information about the user", Diachenko added.

'It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices'.