Conflicting accounts have emerged about a security breach involving the ai.type add-on keyboard for iOS and Android, with researchers claiming that 31 million people's data has been compromised — with a user's contacts also potentially included in the leak.
The Kromtech Security Center discovered on Tuesday that a MongoDB database used to collect data on ai.type keyboard users was misconfigured, and was available on the internet. Contained in the database is reportedly "data and details of 31,293,959 users" of the ai.type keyboard.
According to the researchers, user information includes phone numbers, full names, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number, IMEI number, emails associated with the phone, country of residence, links and the information associated with the social media profiles including birthdates and photos, IP, and location details.
Making the situation worse, it appears that 6.4 million records contained data gleaned from a user's Contacts, including names and phone numbers, leading to a total of 373 million records in the briefly publicly available database.
Other information in the database includes average messages per day, words per message, and ages of users.
"It is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user," said Kromtech's Head of Communications Bob Diachenko. "It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."
Upon installation, ai.type asks for "Full Access." If permission is granted, the add-on keyboard can transmit absolutely anything typed through the keyboard to the developer. However, the company claims that it will never use personal information it collects — but if Kromtech is correct, the company appears to have stored a fair amount of information from the user's device anyhow.
Ai.type tells a different story about the data contained in the database — but does not deny that a database was available publicly for a period of time.
Speaking to the BBC, Chief Executive Eitan Fitusi says that the stolen information was a "secondary database." Additionally, he claims that the IMEI information was never collected by the company, user data collected only involves what ads are clicked by the user, and that the location data wasn't accurate.
Fitusi claims that the database has been secured since the breach.
The company that found the database, Kromtech, is the company that develops and sells the poorly regarded MacKeeper suite of applications.