A group of seven Hong-Kong-based VPN (virtual private network) apps were reportedly found exposing Personally Identifiable Information (PII) of potentially over 20 million VPN users on their servers without any password protection or authentication.
What is surprising is that each of these VPNs claims to follow a “no-log” policy, which means they do not record any user activity on their respective apps.
According to the vpnMentor research team who uncovered the unsecured live server, a massive 1.207 TB of data with 1,083,997,361 records were found exposed to public access.
The compromised user data include activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, and direct Paypal API links.
The affected VPN apps are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. They all appear to be connected by a common app developer and white-labelled or rebranded for use under multiple names.
Based on the following findings, vpnMentor believes that the VPNs exposed in this leak share the same developer:
- The VPNs share a common Elasticsearch server
- They are hosted on the same assets
- They have a single recipient for payments, Dreamfii HK Limited
- At least three of the VPNs on the server share almost identical branding on their websites
To confirm if user data was actually being collected, the researchers carried out their own tests using UFO VPN.
“To confirm our initial findings, we ran a series of tests using UFO VPN. After downloading it to a phone, we used the UFO VPN app to connect to servers around the world. Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to,” the researchers said.
“Furthermore, we could clearly see the username and password we used to register our account, stored in the logs as cleartext. This confirmed that the database was real and the data was live.”
Amusingly, the data collection by UFO VPN is contradictory to what it states in its privacy policy: “We do not track user activities outside of our site, nor do we track the website browsing or connection activities of users who are using our Services.”
This creates a high risk for affected VPN users, as malicious hackers and cybercriminals could create very effective phishing campaigns using the exposed PII data through the ElasticSearch server. Similarly, spamming, financial fraud, utilizing the leaked payment data of either the Paypal or Bitcoin, extortion, blackmailing, doxing are other consequences. In some cases, it could also lead to arrest or persecution if the users accessed websites that are banned in their home countries.
All the affected VPN firms were contacted by the researchers on the 5th of July, 2020, the day on which the unsecured live server was discovered. However, the live server was closed only on 15th July.
If you are using one of the VPNs affected in this data leak, we recommend you to opt for a more secure provider that follows strict privacy protocols. You can check out our list of some of the best free and paid VPN services.
