The database, which appeared to contain information exclusively from Android users, belonged to AI.type co-founder Eitan Fitusi.
Security experts from Kromtech Security Center who discovered the breach said the company's database wasn't secure with a password, meaning the data was easily accessible to hackers and anyone else who may have inadvertently stumbled across it.
Another week, another open database left online, but this latest case has shown not only sloppy security but also how much data you're giving up with some apps. But as security researchers at Kromtech Security Center recently discovered, AI.type has not been adequately protecting its databases.
While it may have tens of millions of users all over the world, the app's developers failed to protect the database with a password, enabling anyone to access this database that is over 577 GB heavy. The server also stored precise location data about the user, including city and country.
Other records are significantly more detailed.
Perhaps most troubling for users of AI.type was the discovery of more than 8.6 million text entries that contained information typed on the keyboard app.
More complete records also include the device's IMSI and IMEI number, the device's make and model, its screen resolution, and the device's specific Android version.
We also found several tables of contact data uploaded from a user's phone. One of the leaked database tables includes 10.7 million email addresses from contact data. It's not clear for what reason the app uploaded email addresses and phone numbers of contacts on users' phones.
Numerous kinds of records of the app's users were available on the server.
It's not uncommon for keyboard apps to ask for wide-ranging permissions to access data on a user's device-and in many cases, users are willing to grant it because the keyboard is an essential tool. AI.type is no exception, with read access to contact data, text messages, photos and video access and other on-device storage, record audio, and full network access. 31 million users are said to be affected. Any text entered on the keyboard "stays encrypted and private", says the company.
More than six million records contained data collected from users' contact books including names, phone numbers and contacts saved or linked to Google account, researchers found. "This is a shocking amount of information on their users who assume they are getting a simple keyboard application", Kromtech wrote in a blog post published Tuesday (5 December).
"Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online", he told ZDNet.