Researchers have discovered a privacy leak of over 31 million users after an Israeli start-up misconfigured a MongoDB database.
Tel Aviv-based Ai.Type — a designer of virtual keyboards for mobile devices — leaked data on 31,293,959 users of its products, which have apparently garnered over 40 million downloads from the Google Play store.
However, while the exposure of the 577GB MongoDB database indicated poor security practice, researchers at Kromtech Security Center were even more shocked to see the breadth of information collected by the firm.
It included phone numbers, full names, device name and model, mobile network, SMS number, IMSI and IMEI numbers, email addresses, country of residence, social media links and location data for each customer.
“When researchers installed Ai.Type they were shocked to discover that users must allow ‘Full Access’ to all of their data stored on the testing iPhone, including all keyboard data past and present,” explained Kromtech chief communications officer, Bob Diachenko.
“It raises the question of why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet? Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application.”
Mark James, security specialist at ESET, said the start-up's collection of such a wide range of data was unacceptable.
“That in itself is a massive horde of data to hold on a well secured server away from harms reach, but sadly that was just not so. The database was not configured correctly and thus enabled full access from the internet to all the data being held, making it essentially free for all access,” he added.
“Always evaluate the permissions before you install any programs or applications, as there are so many choices these days it can sometimes pay dividends to pick and choose your apps wisely.”