News / Virtual keyboard app collects personal info of 31m users, then leaks it online
Virtual keyboard app collects personal info of 31m users, then leaks it online
6 December 2017 |
Personal data of as many as 31 million users were leaked online following a configuration error by developers of Ai.Type, a startup that offers personalised virtual keyboard apps for Android and iOS device users.
Ai.Type failed to secure a 577GB database that contained personal information of millions of virtual keyboard app users, including contacts and keystrokes.
The massive data leak was discovered by researchers at the Kromtech Security Centre who noted with horror that the compromised data included phone numbers, full names, device names and models, mobile network names, SMS numbers, screen resolutions, user languages enabled, Android versions, IMSI numbers, IMEI numbers, e-mail addresses, country of residence, links to users' social media profiles, IP and location details of people who downloaded the virtual keyboard app.
The fact that a mere virtual keyboard app can gain access to so much personal information of users has left researchers stunned. It also reflects how much information app developers are collecting from users without letting such users know what they intend to do with such data.
At the same time, poor security practices followed by app developers are also placing such sensitive data belonging to millions of users at risk. Every single successful cyber-attack or developers failing to secure cloud data exposes millions of credentials and personal details of users, but many mobile phone users are not aware of such risks.
'Consumers give up more data than ever before in exchange for using services or applications. The scary part is that companies collect and use their personal data in ways they may not know. The concept is where people willing provide their digital in exchange for free or lower priced services or products,' the researchers said.
'Once that data is gone users have little to no knowledge of what is done with their personal data. Why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet? Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application,' they added.
Considering the unsecured database was accessed by malicious actors or hackers who are always on the prowl, those mobile device user who downloaded the Ai.Type virtual keyboard app have had all of their phone data exposed publicly online. Bob Diachenko, head of communications at Kromtech Security Center, wonders if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.
'It is clear that data is valuable and everyone wants access to it for different reasons. Some want to sell the data they collect, others use it for targeted marketing, predictive artificial intelligence, and cyber criminals want to use it to make money in more and more creative ways. This is once again a wakeup call for any company that gathers and stores data on their customers to protect, secure, and audit their data privacy practices,' adds Alex Kernishniuk, VP of strategic alliances at Kromtech.
Latest posts by Jay Jay (see all)
- Greater coordination between stakeholders a must to improve IoT security - 16th March 2018
- U.S. agencies using GrayKey devices to hack into citizens’ iPhones - 16th March 2018
- Microsoft fixes critical remote code execution flaw with latest security patch - 15th March 2018
- Police forces in China using smart glasses to track citizens in real time - 14th March 2018
- UK could launch offensive cyber operations against Russia - 14th March 2018