31 Million Client Registration Files Leaked by Personalized Keyboard Developer.Back to blog
The Kromtech Security Center has discovered a massive amount of customer files leaked online and publically available. Researchers were able to access the data and details of 31,293,959 users. The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.
Ai.Type was founded in 2010 and According to their site, their flagship product for Android was downloaded about 40 million times from the Google Play store and the numbers of downloads and user bases are rapidly growing. They plan to integrate Matching Bots as a user types their conversation and that their Ai type keyboard will soon offer a “Bots Discovery Platform” Via Keyboard. There was also a notice of a name change from Ai.Type to Bots Matching Mobile Keyboard in the coming year.
Giving up data for personalized services and apps
Consumers give up more data than ever before in exchange for using services or applications. The scary part is that companies collect and use their personal data in ways they may not know. The concept is where people willing provide their digital in exchange for free or lower priced services or products. A study from the Annenberg School for Communication at the University of Pennsylvania concluded that a majority of Americans do not think the trade-off of their data for personalized services is a fair deal.
Once that data is gone users have little to no knowledge of what is done with their personal data. Why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet? Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application.
How the data leak occured and what it contained
Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to anyone with an internet connection. This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or datamined from their phone or tablet. MongoDB is a common platform used by many well known companies and organizations to store data, but a simple misconfiguration could allow the database to be easily exposed online. One flaw is that the default settings of a MongoDB database would allow anyone with an internet connection to browse the databases, download them, or even worst case scenario to even delete the data stored on them.
Summary of what the database contained:
Client files that included the personal details of 31,293,959 users who installed ai.type virtual keyboard. This is highly sensitive and identifiable information such as:
Phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI number (international mobile subscriber identity used for interconnection), IMEI number (a unique number given to every single mobile phone), emails associated with the phone, country of residence, links and the information associated with the social media profiles (birthdate, title, emails etc.) and photo (links to Google+, Facebook etc.), IP (if available), location details (long/lat).
Phonebook and Contact Records
6,435,813 records that contained data collected from users’ contact books, including names (as entered originally) and phone numbers, in total more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account.
Additionally, user data from a folder titled ‘old database’ that contained 753,456 records were also available.
There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, age of users, words_per_day': 0.0, 'word_per_session and a detailed look at their customers
The Danger of the Ai.Type Data Leak
Bob Diachenko, head of communications at Kromtech Security Center:
Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user. It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.
Alex Kernishniuk, VP of strategic alliances, Kromtech:
It is clear that data is valuable and everyone wants access to it for different reasons. Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways. This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.