Ai.Type has recently made public over 31 million clients’ critical user data by accident over a MongoDB database that was not secured. The virtual keyboard applications cybersecurity partner, Kromtech Security Center, found a 577Mb database hosted on the Mongo platform that had data from 31,293,959 of Ai.type’s users stored on it, accessible by any interested party connected to the Internet.
The information publicized contains such personal pieces of data as biographical details (names, birthdates, phone numbers, social media accounts linked with the platform account, country of residence and location infromation) and technological details (device names and their respective models, IMEI, IMSI, and Android version numbers, languages preferred, IP addresses).
According to researchers investigating the situation, even more troubling are the 6 million files that included information extracted from personal user contacts saved through Google accounts, including biographical details for people connected with the Ai.type clients and search data for Google searches in a variety of different areas. Other information, such as the average number of messages sent in a day and the amount of words in a message, was also released.
The team of scientists tasked with investigating the matter installed the app on their phones and were surprised that it requires users to give full access to the entirety of their mobile device’s data, including, but not limited to, the entire keyboard usage history.
A blogpost from Tuesday, December 5th, by Kromtech employees explains that the unsecured database information leads them to the conclusion that Ai.type stores everything from their clients’ devices, further stating that this is an astounding amount of data pertinent to their customers who are supposedly doing nothing but downloading a run-of-the-mill keyboard app. The cybersecurity firm suggests that the database leak serves to expose the unnecessary amount of information that Ai.type extracts from its unsuspecting users.
Kromtech says that MongoDB is a widely-used online database storage service, employed by many famous companies, but they state that a simple digital slip such as a misconfiguration could give people full online access to its contents, allowing them to manipulate the stored information as they see fit.
Ai.type, operated and owned by a private firm from Israel’s capital, Tel Aviv, declares its user numbers at around 40 million across the globe, offering app versions designed and optimized both for iOS, and for Android.
Especially in light of this information, scientists are particularly concerned and puzzled as to the reasons why an app with the scope and purpose of Ai.type would require such private information from its users.
Kromtech communications director Bob Diachenko explains that it can be logically assumed that anyone with the Ai.type app on their mobile device has their complete device data up for grabs on the Internet. He suggests that this is of very serious concern, considering that hackers could very easily employ that information for illicit online activity. Alex Kernishniuk, VP of Kromtech’s strategic alliances division, explains that virtual data is clearly important and desirable for access. The reasons for this could be very different, from selling to user-targeted marketing strategies, from predictive AI to various cybercrimes that get increasingly smart and creative.
Bob Diachenko poses the very serious and legitimate question whether granting third parties full access to one’s user data with a view to gaining benefits like discounts is actually worth doing.
We have contacted Ai.Type for further comment and will update this post upon receiving a response.