Security researchers from Kromtech Security Center have discovered a huge amount of personal data belonging to 31 million users of the popular smartphone virtual keyboard, Ai.type, has published online after the developer failed to correctly secure the application’s database.
Ai.type is a customizable and personalizable on-screen keyboard that runs on iOS and Android, with more than 40 million users all over the world.
According to researchers:
“a simple misconfiguration could allow the database to be easily exposed online. One flaw is that the default settings of a MongoDB database would allow anyone with an internet connection to browse the databases, download them, or even worst case scenario to even delete the data stored on them.”
The leaked database includes Full name, phone number, email address, device name, screen resolution, model details, Android version, IMSI number, IMEI number, IP addresses, GPS locations and many more.
The strange thing is that the published database also shows that the virtual keyboard application is also collecting users’ contact lists, including the contacts’ names and phone numbers—and already scraped more than 373 million records.
It raises the question of why would a keyboard and emoji app need to collect the whole data of the user’s phone or tablet?