According to a new report, over 31 million users of ai.type Keyboard have had personal data exposed. While the keyboard boasts more than 40 million users across Android and iOS, it appears that only Android users had their data leaked.
Security researchers at the Kromtech Security Center discovered an unsecured database server owned by Eitan Fitusi, co-founder of ai.type. The server contains more than 577 GB of data and was accessible to anyone. It is now secure as Futsi added a password to it after researchers tried several times to contact him.
Editor’s pick: Best Android security practices
Almost every record included a device’s IMSI and IMEI number. Those are unique numbers that cellular networks use to identify subscribers. The app also collected data on the make and model of the phone, its screen resolution, and its Android version.
Most records include a user’s phone number, the name of their service provider, and if the user was on Wi-Fi, their IP address, and internet service provider. The records also contained details from users’ public Google profile like email addresses, birth date, gender, and profile picture.
It gets worse.
In its Google Play listing, ai.type states that users’ privacy is its principal concern. The company also claims that text typed on the keyboard is encrypted and private. But, that appears to be 100% marketing speak to encourage users to download the app. Security is apparently not a huge concern because the company left its database with 10.7 million email addresses and 375.6 million phone numbers unsecured.
It also appears that the text typed on its keyboard was neither encrypted nor private. Since researchers could download and look through the files, there was obviously no encryption. Researchers also found a table of over 8.6 million entries of text that had been entered on the keyboard. Those records contain phone numbers, web search terms, and email addresses and their corresponding passwords. That seems to go against ai.type’s promise that it will “never share your data or learn from password fields.”
The security implications are clear here. Everything from names and email addresses to passwords and personal details could’ve been download by anyone. If you have ever downloaded ai.type, we suggest immediately deleting it, and changing all your passwords. You may want to consider using a password manager. We laid out some of the best options here.
Many times when unscrupulous individuals get their hands on information like this, they try to use it for social engineering hacks. This can be as simple as calling a carrier and opening up a new line so they can order a phone or try to gain access to your email accounts. Be sure to look out for any suspicious activity.
December 5, 2017 at 01:02PM