"The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices", Kromtech Security Center said. The server also stored precise location data about the user, including city and country.
Data including phone numbers, a user's name, their device name and model, network name, screen resolution, user language and Android version are reportedly compromised - as well as extraordinary details that many user's likely never knew the app could see. This data is then monetised through advertising, but it was also stored on the insecure server, linked to individual users. Not only do they tend to offer more features over the stock keyboard shipping on most smartphones, but in some cases, they provide better auto-correct and prediction technology than the first-party alternatives. Fitusi is the co-founder of AI.type, a customisable on-screen keyboard which boasts of as many as 40 million users worldwide. Every single successful cyber-attack or developers failing to secure cloud data exposes millions of credentials and personal details of users, but many mobile phone users are not aware of such risks.
And the app touts privacy as a big focus, noting that text tapped into the keyboard is private and encrypted.
When researchers installed Ai.Type they were shocked to discover that users must allow "Full Access" to all of their data stored on the testing iPhone, including all keyboard data past and present.
ZDNet who obtained a portion of the database to verify the information collected by the servers made a few scarier revelations to the breach. ZDNet said it also uncovered the contact details from user's address books.
The boss of the Israeli company behind the app admitted the breach but said most of the data was not sensitive. Android users who install the free version of the app might be scared away by an alert that says the keyboard may collect "all the text you type", including passwords and credit card numbers.
The researchers claimed data left visible included names, phone numbers, locations and Google queries.
For reasons now unclear, some of the leaked information is reported to also include details linked to Google profiles, such as birth dates, genders, and profile pictures.
'It is clear that data is valuable and everyone wants access to it for different reasons. Bob Diachenko, head of communications at Kromtech Security Center, wonders if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices. "Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways".
Alex Kernishniuk of Kromtech said 'This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.