Cloud databases debased: AI.type virtual keyboard leaks 31M users' sensitive data

Once again, it’s time to play “spot the unsecured cloud data.” In this week’s episode …

A popular virtual keyboard app on iOS and Android, A.I.type, left a huge Mongo database just kinda lying around and exposed to the Internet. Not only that, but the leak revealed the amazing extent to which the app collected users’ personal, sensitive data.

Will stories like this ever stop? In this week’s Security Blogwatch, we wonder who we can trust.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention:  The real Gotham city 

The State of Security Operations

Okay, let’s not mince words—Zack Whittaker says he’s “****ing horrified”:

Some 31 million people are about to have a really bad week.

Personal data belonging to over 31 million customers … has leaked online. … AI.type, a customizable and personalizable on-screen keyboard, which boasts more than 40 million users … allow[ed] anyone to access the … database of user records.

[There’s] more than 577 gigabytes of sensitive data [including] the user's full name, email addresses … precise location … the device's IMSI and IMEI number … make and model … screen resolution, and … Android version. A large portion of the records also included the user's phone number and the name of their cell phone provider, and in some cases their IP address. … Many records contain specific details of a user's public Google profile, including email addresses, dates of birth, genders, and profile photos.

We also found several tables of contact data uploaded from a user's phone [including] 10.7 million email addresses [and] 374.6 million phone numbers. … Several tables contained lists of each app installed on a user's device, such as banking apps and dating apps. [Another] included private and sensitive information, like … web search terms … email addresses and corresponding passwords.

AI.type’s co-founder wouldn’t respond to comment. But he told the BBC that some things were inaccurate in our report. Sadly, he’s wrong (or more likely, he’s lying).

Who discovered the leak? It was Kromtech, claims Bob Diachenko:

The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices. … Their flagship product for Android was downloaded about 40 million times.

Consumers give up more data than ever before in exchange for using services or applications. The scary part is that companies collect and use their personal data in ways they may not know. … Why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet? … This is a shocking amount of information on … 31,293,959 users.

Anyone who has downloaded and installed the Ai.Type virtual keyboard on their [Android] phone has had all of their phone data exposed publicly online.

How bad is it? Pascal “@passy” Hartig has a bit of a hissy fit:

A 557GB MongoDB on the public internet without any authentication, containing records of 31 million users with precise geo locations.

That's as bad as it gets.

Harvey Lubin summarizifies: [You’re fired!—Ed.]

In other words, hackers now have all of the personal data they could ever want on 31 million Android users.

Any alliteration available at all? Iain Thomson calls it a Mongo mistake and gets a statement from Ai.type’s founder, Eitan Fitusi:

Another week, another open database left online.

He said it contained secondary information that was “mostly statistical behavior information, about user use patterns.” … “There is no sensitive data there, we are not collecting\storing \sending any password or credit card information. … We don’t even learn it on the local device!!! So no one that uses our keyboard cannot be offended in any way and they all can feel safe, the data is completely flat and non-personal.”

At which jeremy 3 scoffs thuswise:

It is in this guy’s interest to continue the mis-truth that the rest of your data is worthless.

As for leaving a database unsecured, that shows that they do not have a good tech team.

This guy sounds like a typical CEO of a tech company these days, arrogant and ignorant … linkedin profile is full of terms like "organic growth" and not "data security" [nor] "company integrity".

What should app writers learn? James “@jamesrbuk” Ball preaches up a storm:

Don't. Collect. Data. You. Don't. Need.

Don't. Store. Data. Any. Longer. Than. You. Need. It.

Paul M “@paul_furley” Furley could have told you so:

My “paranoid” habit of using fake names & unique, anonymous email addresses is starting to look pretty damn reasonable.

And don’t mention Tyler “@tdurd3n”:

When in doubt, don't use 3rd party keyboard apps. This isn't the first time **** like this has happened.

Although, Francisco‏ “@franciscof_1990” has never even heard of Ai.type:

And this, ladies and gents, is why you shouldn't trust weird ass companies, specially for a keyboard. What a massive cluster****.

Meanwhile, what should an Ai.type user do now? @secespresso has a suggestion:

Change your password, phone number, emails, phone/tablet, country of residence, full name...

Oh wait.

The moral of the story? Secure the data you collect. And don’t rely on Mongo’s defaults.

And finally …

The real Gotham city ...

… and why Batman comes from a place called “Gotham.”

The State of Security Operations

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Fredrik Linge (cc:by-sa)

Topics: Security