Personal info of 31 million people leaked by popular virtual keyboard Ai.type

Data belonging to 31 million users of the popular smartphone virtual keyboard, Ai.type, has leaked online after the developer failed to properly secure the app’s database.

Ai.type is a freemium virtual keyboard that runs on iOS and Android, with the bulk of the users on Android. According to the developers, Ai.type can learn the user’s writing style, and even auto-insert emoji.

According to Zack Whittaker of ZDNet, the app’s database server was left online without any form of authentication. This meant anyone could access the company’s treasure-trove of personal information, which totals more than 577 gigabytes of data, without needing a password.

The data encompasses basic biographical data (like names and e-mail addresses). It also includes information about the device, like its make and model, IMSI and IMEI numbers, the screen resolution, and the specific make and model of the device.

Some information is worryingly personal. It contains the precise location of the user, their phone number and cell provider, and according to Whittaker, the user’s IP address and ISP, if they use the keyboard while connected to Wi-Fi.

For reasons unclear, it also uploaded a list of each app installed on the phone, allowing the makers to, in theory, determine what banking and dating apps were being used.

Ai.type effectively enumerated the device it was being used on. It also uploaded hundreds of millions of phone numbers and e-mail addresses, suggesting that the keyboard was accessing the users’ contact information.

I'm horrified by this data leak. Email addresses, phone numbers, and precise locations of 31 million users is bad enough, but the data also includes every user's contacts list — some 374.6 million phone numbers alone. https://t.co/rvNuPbP6Vr pic.twitter.com/AinjASnOyG

— Zack Whittaker (@zackwhittaker) December 5, 2017

ZDNet claims the database also contained “concatenated email addresses and corresponding passwords.” Ai.type says that they never “learn from password fields.”

It’s not clear if these email-and-password combos are the product of user-error (i.e. an individual forgetting to press ‘tab’ after they’ve typed their email), or the result of misconduct by Ai.type. 

The open database was found by researchers at the Kromtech Security Center. Speaking to TNW, Bob Diachenko, Kromtech’s Head of Communications said the leak “… is pretty bad, indeed. Nobody expects his or her phone book or other device or location related details to be exposed to the public internet.”

According to Diamchenko, the leak was a result of a misconfigured MongoDB server “left unprotected for anybody to access/read/write.” Even purely from a business perspective, this is extremely risky.

“The danger of having [an] unprotected MongoDB [database] is huge. In January 2017, 27,000 — or roughly a quarter — of MongoDB databases left open to the internet were hit by ransomware, and again in September 2017 three groups of hackers wiped out an estimated 26,000 MongoDB databases. The cyber criminals demanded that the owners of those databases pay around $650 in Bitcoin to regain their data.”

Fortunately, the database has since been secured, although Diamchenko said that this happened “a couple of days after we notified the owner.” That’s pretty astonishing, considering it’s pretty trivial to add a password to a MongoDB install.

This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.

In a story like this, there are few grains of positivity to cling to. On the plus side, the leaked data only affects Android users, meaning the estimated nine million iOS users of Ai.type are safe.

Broadly speaking, the worst of the data seems to affect users of the free version. That makes sense; if you’re running targeted ads, it helps to know more about the person you’re serving them to. If you’ve paid up for Ai.type, your exposure to this leak is decreased significantly.

Finally, the type of egregious security misconfiguration that resulted in this leak will go away after the release of MongoDB 3.6, which makes it impossible to accidentally connect a database to the Internet without authentication.