Security researchers claim to have found the personal data of 31 million Android users of the keyboard app Ai.type after finding an open database online.
The app offers themed keyboards for phones and tablets.
The researchers claimed data left visible included names, phone numbers, locations and Google queries.
The boss of the Israeli company behind the app admitted the breach but said most of the data was not sensitive.
Bob Diachenko, from the Kromtech Security Centre, part of security company Mackeeper, said the amount of data required by the app at point of download was "shocking".
"Why would a keyboard and emoji application need to gather the entire data of the user's phone or tablet?" he wrote in his report.
"Based on the leaked database, they appear to collect everything from contacts to keystrokes."
But Eitan Fitusi, chief executive and founder of Ai.type, told the BBC the amount of data exposed was not as extensive as claimed.
"It was a secondary database," he said of the discovery.
Mr Fitusi said:
- the geo-location data was not accurate
- no IMEI information (a model number for a specific phone) had been gathered
- the user behaviour collected by the company involved only which ads they clicked
The database has now been shut down and Mr Fitusi said he was "confident" about the company's security.
Mr Diachenko responded that while there were no credit card or payment details, there was a wide range of personal information including social media profiles.
Ai.type's own figures state that the app has been downloaded about 40 million times on the Google Play store since its launch in 2010.