The developer of a personalised keyboard app left a vast amount of highly sensitive user data exposed online, having failed to secure the database that stored the information.
Security vendor Kromtech discovered a MongoDB database instance belonging to AI.Type - a company that develops a personalised keyboard app for Google's Android and Apple's iOS - with no access controls, allowing anyone to connect to it over the internet.
The personal details of more than 31 million AI.Type users were stored in the database.
Since the keyboard app asks users for full access to their devices, AI.Type collects very sensitive personal information.
This ranges from names and email addresses to birthdates, social media profile data, photos, locations, and Kromtech said AI.Type appeared to capture users' keystrokes as well.
AI.Type also uploaded users' contacts and their phone numbers into the exposed MongoDB database.
The app similarly collects device information such as hardware and network identifiers, operating system versions, and more.
In total, the unsecured MongoDB instance contained 577 gigabytes of data.
The security vendor questioned why a keyboard app needed to gather full data from users' phones and tablets.
"This is a shocking amount of information on their users who assume they are getting a simple keyboard application," Kromtech said.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
