Personal Data of 31 Million Virtual Keyboard App Users Leaked Online

Personal Data of 31 Million Virtual Keyboard App Users Leaked Online

A database containing more than 577 gigabytes of data about the users of the Ai.type virtual keyboard was exposed online. Learn about the types of personal data that was made public and what you should do to protect yourself from leaks like this.

The personal records of more than 31 million people were leaked online, according to the Kromtech Security Center researchers who discovered the problem in December 2017. The victims were users of a popular virtual keyboard app offered by Ai.type. While the app works on both iOS and Android devices, the leak occurred on a server that contained only the records of the app’s Android users. The leak occurred because the server that housed the Android user database was not protected with a password, allowing hackers to access the database and expose it online.

The Types of Personal Data Leaked

The leaked database housed 577 gigabytes of data, including the client files of the Android users who downloaded the Ai.type keyboard. These files contained many personal details about those users, such as their full names, email addresses, and phone numbers. Also included were links to and details from the users’ social media profiles (e.g., birthdates).

The client files also included information about the users’ devices, such as the devices’ names, models, and International Mobile Equipment Identity (IMEI) codes. Every mobile device is assigned a unique IMEI code, which is used to identify the device on mobile networks.

Besides containing details about the keyboard users and their devices, the leaked database stored information from users’ contact lists. When ZD-Net examined a portion of the leaked database, it found several tables of contact data. One table had a stockpile of 374.6 million phone numbers, while another one had a stash of 10.7 million email addresses.

The database also stored the text users typed on their devices’ virtual keyboards. ZD-Net found more than 8.6 million text entries. Mixed in with more benign items such as web search terms were highly sensitive login credentials — email addresses and corresponding passwords concatenated together.

Ai.type’s privacy policy mentions that it collects and stores these types of data. According to the Ai.type keyboard web page in Google Play, this text is supposedly encrypted to protect users’ privacy. However, the text entries and all the other data in the leaked database were in plain text.

After Ai.type was told about the leak, it secured the server. However, the data is already publicly available. So, if you are using this virtual keyboard on your Android device, be sure to change any passwords you might have entered on it, especially if you tend to reuse passwords. Hackers sometimes launch credential stuffing attacks. In this type of attack, distributed botnets try using leaked or stolen credentials to access various websites. This is done slowly from many different IP addresses to avoid setting off alerts (e.g., three unsuccessful login attempts) that could expose the attack.

No matter whether you are using the Ai.type keyboard or not, you should avoid using the same or a similar password for more than one online account. Instead, create a unique, strong password for each account. That way, if hackers obtain one account password, they won’t be able to use it to access other accounts.

It is also a good idea to read the privacy policy for any app you download. You might be surprised at the types of the data the app’s vendor is collecting about you.

About CHIPS Computer Services

CHIPS Computer Services is an award-winning Technology Success Provider specializing in helping businesses increase efficiencies and profits by leveraging properly managed technology. To learn how CHIPS can help your business, email us at to schedule a no cost business technology assessment.