As detailed in a new report from ZDNet, personal data from over 31 million users of the popular AI.type customizable keyboard has been leaked to the public.
Perhaps most troubling for users of AI.type was the discovery of more than 8.6 million text entries that contained information typed on the keyboard app. Also, the misconfigured database seems to have contained information linked only to Android users of the app, meaning that data belonging to the app's iOS users is unaffected.
But the server wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data. Users of the app may want to think twice about typing any sensitive information while using the app, as it is likely to be sucked up and stored in a server.
The records themselves contain each user's full name, email address, how long they have had the app installed as well as precise details on their exact geographical location.
ZDNet who obtained a portion of the database to verify the information collected by the servers made a few scarier revelations to the breach.
To harvest full name, phone number, email address, device name, screen resolution, model details along with so much more personal info, and to then find out that users' entire contacts list is also being uploaded is not acceptable. Android users who install the free version of the app might be scared away by an alert that says the keyboard may collect "all the text you type", including passwords and credit card numbers.
ZDNet also confirmed that AI.type was scraping contact information from user's phones, with data tables containing over 10.7 million email addresses and another with 374.6 million phone numbers.
While many of those details amount to basic records, the database also house records that revealed more sensitive information about users.
Several tables contained lists of each app installed on a user's device, such as banking apps and dating apps.
Bob Diachenko, head of communications at Kromtech Security Center, said: 'Theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online. In particular he denied that IMEI information was collected, said the collected geo-location data was not accurate, and pointed out that user behavior data was only collected from ads that were clicked.
Interestingly, AI.type says on its website that user privacy "is our main concern", and that any text entered on the keyboard "stays encrypted and private".
'It is clear that data is valuable and everyone wants access to it for different reasons.
"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products", the company said in its blog post. However, he outlined that most of the data was insensitive.
This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices.