- Records of Android users leaked from the app’s server
- Detailed records of free users leaked compared to basic for paid users
- Server has been secured but extent of damage not known yet
A popular virtual keyboard app from Tel-Aviv, AI.type, has leaked personal data of customers due to a server security failure. 31 million users are said to be affected. Confirmed last week, the leak was from AI.type’s server that is owned by the app’s co-owner Eitan Fitusi. The keyboard app claims to have more than 40 million users globally.
The leak was detected by the Kromtech Security Center, which reported over 577GB of data was leaked from the company’s server. It is believed that the data was accidentally shared when the server was not secured with a password. The database contained records of only the app’s Android users, ZDNet reports, adding that Fitusi acknowledged the breach this weekend.
According to the Kromtech Security Center, the AI.type server had been using a Mongo-hosted database that is used by many well-known companies and organisations to store data, but a simple misconfiguration could allow the database to be easily exposed online. A big flaw in this kind of database lets anyone access, edit or even delete the data stored on it. Co-founder Eitan Fitusi has since claimed that the server is now secure, but the extent of the damage is not known.
Numerous kinds of records of the app’s users were available on the server. Each record contained a basic set of data that includes the user’s name, email addresses, and the number of days since the app was installed on their device. Some records had detailed information including the user’s precise device location, device IMEI and IMSI number, device model, and the specific Android version.
The report also states that there is significantly more user data collection in the free version of the app, compared to the paid, mostly because the former would be actively involved in monetisation through advertising. “Consumers give up more data than ever before in exchange for using services or applications. The scary part is that companies collect and use their personal data in ways they may not know. The concept is where people willing provide their digital in exchange for free or lower priced services or products.” Said Bob Diachenko of Kromtech Security Center in a blog post.