The data also includes more than 8 million text entries that were entered using the AI.type app, including passwords and search terms.
Bob Diachenko, from the Kromtech Security Centre, part of security company Mackeeper, said the amount of data required by the app at point of download was "shocking". According to security researchers at Kromtech Security Center, a large cache of customer files have leaked online and are publically available.
No matter what information leaked, if you have ai.type installed on your iOS devices, it would probably be a smart choice to uninstall the keyboard. These apps are installed over 1.5 million times per month, Ai.Type boasts on its website.
"Ai.Type accidentally exposed their entire 577GB Mongo-hosted database to anyone with an internet connection", he added. "This also exposed just how much data they access and how they obtain a treasure trove of data that average users not do expect to be extracted or data-mined from their phone or tablet". It included phone number, full name of the owner, device name and model, mobile network name, SMS number, screen resolution, user languages enabled, Android version, IMSI and IMEI numbers (both used to identify a mobile phone), email addresses associated with the phone and country of residence.
Ai.Type, which is based in Israel, has over 60 million users, and offers an Android and iOS version of its keyboard.
"This presents a real danger for cyber criminals who could commit fraud or scams using such detailed information about the user", he says.
"It raises the question once again if it is really worth it for consumers to submit their data in exchange for free or discounted products", the company said in its blog post.
Interestingly, the free version of AI.type was found to have collected more data than the paid version.
Ai.type's founder Eitan Fitusi told The Register that the MongoDB database had been secured once Kromtech had reported the issue and that the archive only contained around half of the firm's database information.
Researchers have discovered a privacy leak of over 31 million users after an Israeli start-up misconfigured a MongoDB database. Except with the wide-ranging permissions keyboards have on Android, including the option to read text messages, view photos and videos and even record audio, combined with the fact that it didn't store user data in a secure storage, you have to wonder just how accurate that is. Mr. Fitusi expressed his confidence on the company's security. He said it contained secondary information that was "mostly statistical behavior information, about user use patterns of the keyboard".
Mark James, security specialist at ESET, said the start-up's collection of such a wide range of data was unacceptable. About 10 percent of that data is sent to the server for prediction purposes, but it's not shared with any third party.
Kromtech added that over 6 million records also contained data from users' contact books, "in total more than 373 million records scraped from registered users' phones, which include all their contacts saved/synced on linked Google account".