Published: Wed, December 06, 2017
Science | By Hubert Green

Keyboard maker AI.type exposes 31M customer records in latest database breach

Keyboard maker AI.type exposes 31M customer records in latest database breach

Uncovered by security researchers at Kromtech Security Centre, the keyboard app that offers an alternative to the native keyboards on Android and iOS devices was found to be extracting personal data from some 31 million users and flinging it over to an unsecured database server owned by the app's co-founder Eitan Fitusi.

Security experts from Kromtech Security Center who discovered the breach said the company's database wasn't secure with a password, meaning the data was easily accessible to hackers and anyone else who may have inadvertently stumbled across it.

Researchers had attempted to contact the company behind AI.type on multiple occasions but it wasn't until this past weekend that they finally acknowledged it. AI.type says it has now secured the database, and that the leak didn't impact AI.type's nine million iOS users.

The records themselves contain each user's full name, email address, how long they have had the app installed as well as precise details on their exact geographical location.

Users on the free version have more data farmed from their usage than that of the paid version - a statement made clear in its privacy policy.

Other than the worry that a dodgy keyboard app could be logging your every keystroke and sending it off to some suspect third-party, you'd hope something as straightforward as typing was worry free.

Now it's worth pointing out that the ai.type Keyboard app does note that it'll suck up data and requires permissions to the user's mobile contacts database, though it points out that "all information is locally stored on smartphone's vocabulary".

While many of those details amount to basic records, the database also house records that revealed more sensitive information about users. This data is then monetised through advertising, but it was also stored on the insecure server, linked to individual users. One table listed 10.7 million email addresses, while another contained 374.6 million phone numbers.

A large portion of the records also included the user's phone number and the name of their cell phone provider, and in some cases their IP address and name of their internet provider if connected to Wi-Fi.

Ai.type users will at least be relieved to learn that no passwords or payment details were kept on the server. While it promises to keep the content "encrypted and private", the company failed to even secure the database.

ZDNet's report found, however, that the company had collected more than 8.6 million text entries collected from the keyboard, including phone numbers, web search terms, and concatenated emails and passwords.

"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online", he told ZDNet.

"This presents a real danger for cybercriminals who could commit fraud or scams using such detailed information about the user", Diachenko added.

Ai.type uses artificial intelligence to help users type faster and more accurately.

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755-8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Like this: