Security researchers have discovered a massive collection of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type, after the information was accidentally leaked online. It is possible for anyone to download the sensitive data without requiring a password. A misconfigured MongoDB database is thought to have been the reason for the exposure of AI.type’s entire 577 GB database. IT security experts commented below.
Javvad Malik, Security Advocate at AlienVault:
“It is concerning that a keyboard app is collecting excessive data from users which isn’t needed for its operation. Unfortunately, many companies will opt to gather as much data as possible from its users that can be analysed or sold onto third parties.
The fact that this breach occurred via a misconfigured MongoDB database is not all that surprising. We’ve seen a rise in incidents where data is breached from misconfigured services, of which Amazon S3 buckets are amongst the most common.
It highlights the importance of companies to have cloud security expertise, and the right cloud monitoring tools in order to gain assurance that misconfigurations and security vulnerabilities aren’t left in the environment.”
Lee Munson, Security Researcher at Comparitech.com:
“When it comes to apps, much like everything else in life, if they’re not free then the chances are that you are the product.
“And so it is with the AI.type virtual keyboard found installed on millions of mobile devices.
“If the fact that the company behind it has been breached isn’t a worry in itself, anyone using the app should definitely be concerned about the nature of the information stolen.
“Going way beyond that which may be expected – names, email addresses and, perhaps, the IMEI number of the device used to install it, the company appears to have collected… everything!
“The misconfigured database that was breached contained a huge treasure trove of information for the attacker, with every keystroke ever made recorded within its bowels.
“Given that could include sensitive, personal or intimate chats, as well as contacts’ names and phone numbers, that presents a very real danger to everyone affected and should serve as a reminder to all to check the terms, conditions and permissions of every app they ever install.
“After all, who in their right mind would give full access to a keyboard that records absolutely everything they type and possibly even everything they typed prior to installation?”
John Gunn, Chief Marketing Officer at VASCO Data Security:
“Most users never read the app permissions disclosure when downloading an app and they don’t realize they are giving away access to almost everything including many areas the app publisher has no legitimate use for, but a few more damaging leaks like this one and that may change.
“Before, people only had to worry about their own gullibility, now users have to also worry about naive friends giving up their data to irresponsible and over-reaching app publishers.”
Robert Capps, Vice President at NuData Security:
“This unprecedented ruling by the UK High Court is a stark warning for businesses embroiled in data breaches. It raises the stakes involved since the company can still be held liable for the actions of one disgruntled employee and means, more-so than ever, the current measures in place for organizations to stop the damages from data breaches need a radical overhaul.
Companies have the burden of making sure there are no vulnerabilities in their system, including those weaknesses employees can take advantage of. For this, changing the value of the data stolen could help discourage external and internal bad actors.
Combining authentication techniques with more secure forms of online authentication such as passive biometrics will drastically reduce the value of the leaked data downstream after the breach, helping to keep organizations and customers safe from the disastrous fallout from a data breach.”
Ray DeMeo, Co-Founder and Chief Operating Officer at Virsec Systems:
“This breach highlights how vulnerable we are to apps or third-party tools that may be sloppy or reckless with security. Consumers are also notorious for choosing convenience over security and blithely allowing apps to have “full access” to anything on their phones. We need to change to a much more defensive security model: assume all but the most trusted apps and vendors are likely to be careless and get breached. If you care at all about personal information, don’t voluntarily hand it over, and never allow untrusted apps to access other data on your devices.”