sb-au logo
Story image

7 VPN services leaked data of 20 million users - report

Seven Virtual Private Network providers leaked the data of more than 20 million uses, according to a new report from vpnMentor. 

The providers, who claimed not to keep any logs of their users’ online activities, left 1.2 terabytes of private user data exposed. The data, found on a server shared by the services, included the Personally Identifiable Information (PII) of potentially as many as 20 million VPN users.

Amer Owaida from ESET's Welivesecurity, says the report calls into question the providers’ security practices and dismisses their claims of being no-log VPN services.

"Besides the personal details, which included the users’ email and home addresses, clear text passwords, and IP addresses, the server was also found to store several instances of internet activity logs, which casts doubt on the providers’ claims about strict no-logs policies," he explains.

UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN are all implicated in the incident. 

"The report suggests that all these Hong Kong-based services have a shared developer and app and are assumed to be white-label solutions that are repurposed under different brands for other companies," sats Owaida.

"This assumption is based on the services sharing the same Elasticsearch server, being hosted on the same assets, and on the fact that the services share a single recipient for payments."

The researchers ran a series of tests using one of the VPN services, UFO VPN. After downloading and using the mobile app to connect to servers around the globe, their activities were recorded in the database, comprising their personal details that included an email address, IP, address, device, and the server they connected to. 

"Beyond confirming their suspicions, they also found that the database logged their username and password used to create the account," says Owaida.

The database contained technical data about the devices on which the VPNs were installed, such as the origins’ IP addresses, Internet Service Provider, actual location, device model, type and ID, as well the user’s network connection. 

“The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server,” explained vpnMentor.

"In a nutshell, all the details that were logged and exposed by these self-proclaimed “no-log” VPN services could spell problems in different orders of magnitude to their users," says Owaida.

"VPNs are used for several main reasons, including to add an extra layer of security and privacy, access content that may not be strictly legal in specific countries (some outlaw pornography), bypass geo-restrictions, or by political activists.

"Depending on who is targeted by a malicious actor, the VPN users could end up getting targeted by phishing campaigns, become victims of fraud, or face blackmail, arrests and persecution," he explains.

Adhering to responsible disclosure guidelines, the researchers disclosed the security lapse to the VPN providers on July 5th and contacted the Hong Kong Computer Emergency Response Team on July 8th. The server was closed on July 15th.

"The users of any of these seven VPN providers would be well advised to consider switching to another service and change their login information on any other online accounts," says Owaida.

"This report should in no way discourage you from using a VPN, but may instead be a reminder to choose your VPN provider carefully."

Story image
Zerto launches security solutions for containerised applications
The company has launched its beta program of Zerto for Kubernetes (Z4K), an extension of its Zerto Platform, to support next-generation, cloud native applications.More
Story image
Video: 10 Minute IT Jams - SonicWall VP on the benefits of Boundless Cybersecurity
Today's interviewee will discuss the ins and outs of the company's Boundless Cybersecurity solution and how it can help APAC organisations adjust to the new normal, as well as explaining the 'cybersecurity business gap'.More
Story image
DDoS attacks surge, becoming more sophisticated
After doubling from Q1 to Q2, the total number of network layer attacks observed in Q3 doubled again — resulting in a 4x increase in number compared to the pre-COVID levels in the first quarter. More
Story image
Is the 'fast follower' mentality holding back anti-money laundering in Australia?
The decade-old rules-based systems cannot keep up with sophisticated cyberattacks and money laundering threats on their own, writes FICO financial crimes leader for APAC Timothy Choon.More
Story image
City council in Queensland goes digital with Rubrik
“By using our data effectively, the possibilities are endless — we can improve internal efficiency, deliver strategic benefits, or drive greater economic, community, and environmental value."More
Story image
Check Point a Leader in Firewall Magic Quadrant for 21st Time
It is the 21st time in the company’s history that Check Point has been named a Leader in Gartner’s Magic Quadrant for Enterprise Network Firewalls.More