Keyboard on mobile device
Keyboard app AI.type has been leaking data of millions of users. geralt/Pixabay

AI.type, a popular virtual keyboard app available for iPhone and Android smartphones, was discovered to have leaked personal information belonging to a large portion of its more than 40 million users. Security researchers at Kromtech Security Center first found the unsecured and unprotected database online that contained more than 577 gigabytes of data from more than 31 million AI.type users.

While the database discovered to be leaking information collected by AI.type has been secured, the app itself is still collecting the same data. Users of the app may want to think twice about typing any sensitive information while using the app, as it is likely to be sucked up and stored in a server. Even if that database is protected, it is unsettling to know that information is being recorded.

For users who are worried they may have typed a password or other sensitive information while using the app, there is little recourse as it’s impossible to know for sure if that data was recorded and exposed. It’s best to change passwords to be safe when there is fear of potential exposure. It also serves as a reminder to not reuse passwords, as one being exposed can lead to multiple accounts being compromised.

The database, which appeared to contain information solely from Android users, belonged to AI.type co-founder Eitan Fitusi. The massive trove of information was not protected by a password, meaning anyone with the direct URL to the database could access the information stored within.

Much of the information was basic but identifying details about AI.type users. The database contained the full name and email address of each user, as well as information about how many days the app had been installed on their device. The server also stored precise location data about the user, including city and country.

While many of those details amount to basic records, the database also house records that revealed more sensitive information about users. Some records including the International Mobile Subscriber Identity (IMSI) and International Mobile Equipment Identity (IMEI) number—two data points that are unique to an individual's device. Accompanying the numbers were the make and model of the device, its screen resolution and the version of Android it was running.

The database also housed each person’s phone number and the name of their mobile carrier. If the user’s device was connected to a Wi-Fi network, the app also leaked the IP address of the device and the internet provider of the network. Other records included information from linked Google profiles including profile pictures, email addresses, dates of birth and genders.

In total, the database contained more than 10.7 million email addresses and 374.6 million phone numbers, suggesting the app accessed the contacts of its users and uploaded that information to its database. In some cases it also listed other apps installed on a device.

Perhaps most troubling for users of AI.type was the discovery of more than 8.6 million text entries that contained information typed on the keyboard app. The text records showed potentially sensitive information typed by users, including phone numbers, web search terms, and login credentials.

For users of AI.type, the text records could be troublesome, as it means logging in to any site or service with AI.type installed may have revealed that information. Because the app treats it as a text record and doesn’t inherently know it’s a password, it can’t encrypt that data to protect or separate it from any other typing.

It’s not uncommon for keyboard apps to ask for wide-ranging permissions to access data on a user’s device—and in many cases, users are willing to grant it because the keyboard is an essential tool. The unprotected database from AI.type reveals just how much detail the app can grab from users without their explicit knowledge.