7 VPN services left data of millions of users exposed online

vpnMentor experts reported that seven Virtual Private Network (VPN)  recently left 1.2 terabytes of private user data exposed to online.

Security experts from vpnMentor have discovered a group of seven free VPN (virtual private network) apps that left their server unsecured online exposing private user data for anyone to see. 

The impacted VPN services are UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN.

The server contained Personally Identifiable Information (PII) data for potentially over 20 million Virtual Private Network users.

Exposed data included the users’ email and home addresses, passwords in plain text, and IP addresses, and the worst aspect of this story is that the server was also containing logs of internet activity of the users.

This is absurd because each of these Virtual Private Network service claims that their services are “no-log” VPNs, which means that they don’t record any user activity.

All the services seem to have been developed by the same authors and are assumed to be white-label solutions commercialized under different brands for multiple companies.

Below the list of the assumptions made by the experts:

“We believe the VPNs exposed in this leak share the same developer, based on the following findings:

• The VPNs share a common Elasticsearch server
• They are hosted on the same assets
• They have a single recipient for payments, Dreamfii HK Limited
• At least three of the VPNs on the server share almost identical branding on their websites.”

The experts ran a series of tests using the UFO_VPN service and discovered that their online activities were recorded in the database on the server.

vpnMentor researchers discovered that the application was storing personal details, email address, IP, address, device, and the server they connected to. The experts also found that the database logged their username and password used to create the account.

“Our team found entries within the exposed database containing a lot of personal details about users and technical information about the devices on which the VPNs were installed, including:

• Connection logs, traffic, and sites visited
• Origin IP addresses
• Internet Service Provider (ISP)
• Actual location
• Device type
• Device ID
• App version
• Phone models
• User network connection

The VPN server users connected to was also exposed, including its region and IP address.” reported vpnMentor. “This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server.”

The researchers disclosed their findings to the VPN providers on July 5^th, then contacted the Hong Kong Computer Emergency Response Team on July 8^th. The server was secured on July 15^th.

Many users use VPN providers to avoid censorship and repressive actions of totalitarian governments, unfortunately, VPN services like the ones analyzed by the experts expose their users to serious risks.

“By recording their users’ activities and logging so much of their PII data, despite explicitly promising not to, these VPNs have betrayed their most vulnerable users and exposed them to great danger.” conclude the experts.

“Had the records we viewed been leaked onto the dark web or shared openly, repressive governments could use them to target users in their country for arrest, detention, and imprisonment.”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, privacy)

[adrotate banner=”5″]

[adrotate banner=”13″]