Passwords are not perfect, but it is still a good idea to use them. There was no password protecting a server run by Eitan Fitusi, co-founder of AI.type, a customizable on-screen keyboard. This meant anyone could access the company’s database of user records, a serious failure discovered by Kromtech Security Center which was then reported by ZDNet.
Over 577 gigabytes of sensitive data were leaked about 31mn customers of AI.type. The breach only affected the Android customers of AI.type because data about Apple users was stored on a different server.
- the IMSI and IMEI numbers for each device
- the IP address and name of the customer’s internet provider, if connected to Wi-Fi
- information about the user’s contacts, including phone numbers and email addresses
- lists of the apps installed on each device, including banking apps
The ZDNet report highlighted the huge difference between what AI.type said about privacy and how the business behaved in real life.
…AI.type says on its website that user’s privacy “is our main concern.” Any text entered on the keyboard “stays encrypted and private,” says the company.
But the database wasn’t encrypted. We also found evidence that text entered on the keyboard does get recorded and stored by the company, though to what extent remains unclear.
The company also promises to “never share your data or learn from password fields,” but we saw one table containing more than 8.6 million entries of text that had been entered using the keyboard, which included private and sensitive information, like phone numbers, web search terms, and in some cases concatenated email addresses and corresponding passwords.
The lousy security for an app that people use when typing – which obviously will include the typing of sensitive information – highlights how trusting people are, and why they should be me more wary.