Another day, another misconfigured database exposing customer data online.

Today’s data breach involving 31 million records collected by Israeli emoji mobile keyboard maker AI.type. First spotted by the Kromtech Security Center, the data was found on a misconfigured MongoDB installation that AI.type had failed to make private and also had failed to set password protection for.

The database of 577 gigabytes of data collected from users of the keyboard included a huge range of personal information. It included phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI and IMEI numbers (both used to identify a mobile phone), email addresses associated with the phone and country of residence. The data also included links to and information about social media sites accessed by customers, though notably it didn’t include passwords.

Why AI.type would be gathering that amount of information, seemingly irrelevant to its role of providing an emoji-focused keyboard, is not entirely clear, particularly given the company itself states that it does not sell the data to third parties.

Strangely, the data breach applies only to Android users of AI.type keyboards, not iOS users. There is no confirmation that malicious actors had accessed the data, though “theoretically, it is logical that anyone who has downloaded and installed the Ai.Type virtual keyboard on their phone has had all of their phone data exposed publicly online,” said Bob Diachenko, head of communications at Kromtech Security Center.

“This presents a real danger for cybercriminals who could commit fraud or scams using such detailed information about the user,” Diachenko added. “It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products or services that gain full access to their devices.”

AI.type’s data breach is far from lacking precedent in recent times, as an ever-growing number of companies have been caught misconfiguring their databases and exposing customer data online. The most recent example was the National Credit Federation in late November, joining a list that includes the U.S. Army Intelligence and Security Command, Accenture Plc., Verizon Communications Inc. and U.S. military contractor TigerSwan.

Image: AI.type