After the developer of virtual keyboard app Ai.Type left a 577GB Mongo-hosted database unsecured, personal data on more than 31 million customers was exposed to anyone who has an internet connection, according to a blog post by Kromtech Security Center whose researchers discovered the leaky database.
Information exposed included phone numbers, owners' names, devices, mobile networks, SMS numbers, email addresses, data associated with social media accounts and more, researchers discovered.
“This also exposed just how much data they access and how they obtain a treasure trove of data that average users do not expect to be extracted or datamined from their phone or tablet,” according to the blog post.
"This breach highlights how vulnerable we are to apps or third-party tools that may be sloppy or reckless with security,” said Ray DeMeo, cofounder and chief officer at Virsec Systems. “Consumers are also notorious for choosing convenience over security and blithely allowing apps to have ‘full access' to anything on their phones.”
The bulk of users “never read the app permissions disclosure when downloading an app and they don't realize they are giving away access to almost everything including many areas the app publisher has no legitimate use for, but a few more damaging leaks like this one and that may change,” said John Gunn, chief marketing officer at VASCO Data Security. "Before, people only had to worry about their own gullibility, now users have to also worry about naive friends giving up their data to irresponsible and over-reaching app publishers."
Jeff Williams, CTO and cofounder of Contrast Security, called for the FCC to go after the app's author for making fraudulent claims about the product.
“The fact that the author promised encryption and better security and completely failed to deliver is a serious problem,” said Williams. “How can consumers protect themselves, if marketing is free to claim anything without consequences for lying?”
Better still “would be if app vendors were not only held to their claims, but were *required* to disclose basic security information about their products,” said Williams. “I see no other way to fix the broken software market.”
DeMeo called for a shift “to a much more defensive security model: assume all but the most trusted apps and vendors are likely to be careless and get breached,” cautioning users not to voluntarily hand over personal data or “allow untrusted apps to access other data on your devices."