A misconfigured MongoDB database and overreaching app permissions led to millions of personal records being leaked...
by a virtual keyboard developer.
Kromtech Security Center discovered the keyboard data leak by mobile developer Ai.type, which makes a mobile alternative keyboard app for Android and iOS. According to Kromtech, Ai.type used the default settings on its MongoDB database, meaning all 577 GB of data -- and 373 million records -- was publicly exposed.
The Ai.type keyboard data leak may have been caused by misconfigured MongoDB database settings, but researchers also noted the extensive permissions the keyboard asked of users. According to ZDNet, which first reported Kromtech's findings, the exposed data was properly secured after repeated attempts by the news outlet to contact Ai.type about the exposure.
The Ai.type keyboard asked users for "full access" to device data, which allowed the app to gather sensitive personal information and identifiable data on the mobile hardware being used.
The keyboard data leak included information gathered from more than 31 million users who had installed the Ai.type keyboard. This information included sensitive data such as names, phone numbers, mobile hardware identification info, email addresses and country of residence. Additionally, more than 6 million records gathered from user contacts were exposed.
"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online," Bob Diachenko, chief communication officer at Kromtech, wrote in a blog post. "This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user. It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices."