sb-nz logo
Story image

7 VPN services leaked data of 20 million users - report

Seven Virtual Private Network providers leaked the data of more than 20 million uses, according to a new report from vpnMentor. 

The providers, who claimed not to keep any logs of their users’ online activities, left 1.2 terabytes of private user data exposed. The data, found on a server shared by the services, included the Personally Identifiable Information (PII) of potentially as many as 20 million VPN users.

Amer Owaida from ESET's Welivesecurity, says the report calls into question the providers’ security practices and dismisses their claims of being no-log VPN services.

"Besides the personal details, which included the users’ email and home addresses, clear text passwords, and IP addresses, the server was also found to store several instances of internet activity logs, which casts doubt on the providers’ claims about strict no-logs policies," he explains.

UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN are all implicated in the incident. 

"The report suggests that all these Hong Kong-based services have a shared developer and app and are assumed to be white-label solutions that are repurposed under different brands for other companies," sats Owaida.

"This assumption is based on the services sharing the same Elasticsearch server, being hosted on the same assets, and on the fact that the services share a single recipient for payments."

The researchers ran a series of tests using one of the VPN services, UFO VPN. After downloading and using the mobile app to connect to servers around the globe, their activities were recorded in the database, comprising their personal details that included an email address, IP, address, device, and the server they connected to. 

"Beyond confirming their suspicions, they also found that the database logged their username and password used to create the account," says Owaida.

The database contained technical data about the devices on which the VPNs were installed, such as the origins’ IP addresses, Internet Service Provider, actual location, device model, type and ID, as well the user’s network connection. 

“The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server,” explained vpnMentor.

"In a nutshell, all the details that were logged and exposed by these self-proclaimed “no-log” VPN services could spell problems in different orders of magnitude to their users," says Owaida.

"VPNs are used for several main reasons, including to add an extra layer of security and privacy, access content that may not be strictly legal in specific countries (some outlaw pornography), bypass geo-restrictions, or by political activists.

"Depending on who is targeted by a malicious actor, the VPN users could end up getting targeted by phishing campaigns, become victims of fraud, or face blackmail, arrests and persecution," he explains.

Adhering to responsible disclosure guidelines, the researchers disclosed the security lapse to the VPN providers on July 5th and contacted the Hong Kong Computer Emergency Response Team on July 8th. The server was closed on July 15th.

"The users of any of these seven VPN providers would be well advised to consider switching to another service and change their login information on any other online accounts," says Owaida.

"This report should in no way discourage you from using a VPN, but may instead be a reminder to choose your VPN provider carefully."

Story image
Is cyber deception the latest SOC 'game changer'?
Cyber deception reduces data breach costs by more than 51% and Security Operations Centre (SOC) inefficiencies by 32%, according to a new research report by Attivo Networks and Kevin Fiscus of Deceptive Defense.More
Story image
Report: Rushing into cloud migration directly related to security issues
A new report from Radware highlights the impact of COVID-19 on organisations compelled to digitally transform in order to maintain business continuity. More
Story image
Video: 10 Minute IT Jams - Who is CrowdStrike?
Today, Techday speaks to CrowdStrike ANZ channel director Luke Francis about the company's key products and offerings, its upcoming annual security conference, and the infrastructure it leverages in the A/NZ region.More
Download image
Network functions virtualisation: What is is, how to use it, and why it matters
Network functions virtualisation (NFV) is fast becoming the go-to method of simplifying corporate networks from planning, through deployment and management.More
Story image
Video: 10 Minute IT Jams - The benefits of converged cloud security
Today, Techday speaks to Forcepoint senior sales engineer and solutions architect Matthew Bant, who discusses the benefits of a converged cloud security model, and the pandemic's role in complicating the security stack in organisations around the world.More
Story image
The SASE triangle: How a CASB protects managed apps
Enterprises that fail to adapt to the modern business world when it comes to security are likely to fall prey to data breaches and experience a host of other problems, writes Bitglass product marketing manager Will Houcheime.More