Mobile & Gadgets

Oops! This Android keyboard app accidentally leaked 31 million users’ personal details

31 million users of an Android keyboard app have had their email addresses, phone numbers, and precise location exposed through the sheer carelessness of the app’s developer.

As ZDNet reports, customisable keyboard app AI.type left a 577GB database of sensitive data on an unsecured server which was left completely accessible to anybody, no password required.

The customisable keyboard app, which has been downloaded from the Google Play store approximately 40 million times, stored information on a Mongo-hosted database that had not been properly secured to prevent unauthorised access.

As if it wasn’t bad enough that 31 million users of the app had been put at risk, one of the database tables discovered by researchers contained an astonishing 374.6 million phone numbers – collected by the app (for reasons best known to itself) after it uploaded users’ contacts from their smartphones.

Yet more information stored in the exposed database detailed the apps installed on each users’ device, including banking and dating apps.

Users of the free edition of AI.Type were left particularly exposed as that version of the app collects more information than the paid edition, in order to make money through more targeted advertising.

According to security researchers at Kromtech, who discovered the unsecured database, it took several attempts to contact AI.Type, and for the poorly-configured server to be secured.

As has been noted before, despite there being security functionality built into MongoDB many administrators continue to make the mistake of not properly configuring the software – effectively creating a goldmine of information for data thieves.

For its part, MongoDB has published a security checklist describing best practices for protecting an installation of the software.

Whether you call data leaks like this an accident or evidence of incompetence is a matter of opinion, but one thing is clear – it is innocent users who are having their privacy and security put at risk by app developers like those who built AI.Type.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.