Keyboard maker AI.type exposes 31M customer records in latest database breach

Popular Keyboard App with Tens of Millions of Downloads Leaks Data of Its 31 Million Users

The details seemed to have leaked online after the app's developer failed to secure the database's server.

But the security researchers found that this isn't the case, given that not only was there an unsecured server sitting full of user data, but the texts weren't encrypted either as they were able to download and look through the database files where they found a table containing 8.6 million entries of text that had been typed into the keyboard app.

Researchers had attempted to contact the company behind AI.type on multiple occasions but it wasn't until this past weekend that they finally acknowledged it. AI.type says it has now secured the database, and that the leak didn't impact AI.type's nine million iOS users.

It included phone numbers, full names, device name and model, mobile network, SMS number, IMSI and IMEI numbers, email addresses, country of residence, social media links and location data for each customer. Those that logged into the app using a Google profile also had their information scraped, revealing email addresses, dates of birth, gender and even profile photos.

The database also housed each person's phone number and the name of their mobile carrier. In some cases it also listed other apps installed on a device.

It doesn't stop there as the app also seemingly had access to a user's contacts. The text records showed potentially sensitive information typed by users, including phone numbers, web search terms, and login credentials.

It's not unusual for on-screen keyboards to have wide-ranging access to some of the highest levels of Android permissions.

"There is no sensitive data there, we are not collecting\storing \sending any password or credit card information", he said.

Indian Premier League franchises allowed to retain upto five players
Following a two-year suspension, Rising Pune Supergiant roped in the wicket-keeper batsman during the 2016 edition of the IPL. This will allow the Chennai-based franchise to pick Mahendra Singh Dhoni , under whom it won the trophy twice.

Travel ban impacts refugee program in the Valley
The court's brief, unsigned orders on Monday urged appeals courts to move swiftly to determine whether the latest ban was lawful. Justices Ruth Bader Ginsburg and Sonia Sotomayor said they would deny the request but did not spell out their reasons.

Gmail gets optimised for iPhone X
Apple launched the iPhone X in the beginning of November, instead of in September when it launched the iPhone 8 and iPhone 8 Plus. The update comes after almost a month of iPhone X availability...

While the database discovered to be leaking information collected by AI.type has been secured, the app itself is still collecting the same data.

So pretty much the promise of privacy, which ai.type outlines on its website has appeared to have a strong whiff of BS. We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear.

"Why would a keyboard and emoji application need to gather the entire data of the user's phone or tablet?"

Bob Diachenko, from the Kromtech Security Centre, part of security company Mackeeper, said the amount of data required by the app at point of download was "shocking".

"This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user", he rightly pointed out.

"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices".

"It is clear that data is valuable and everyone wants access to it for different reasons", Alex Kernishniuk, VP of strategic alliances at Kromtech, said.

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755-8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.