Seven Virtual Private Network providers leaked the data of more than 20 million uses, according to a new report from vpnMentor.
The providers, who claimed not to keep any logs of their users' online activities, left 1.2 terabytes of private user data exposed. The data, found on a server shared by the services, included the Personally Identifiable Information (PII) of potentially as many as 20 million VPN users.
Amer Owaida from ESET's Welivesecurity, says the report calls into question the providers' security practices and dismisses their claims of being no-log VPN services.
"Besides the personal details, which included the users' email and home addresses, clear text passwords, and IP addresses, the server was also found to store several instances of internet activity logs, which casts doubt on the providers' claims about strict no-logs policies," he explains.
UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN are all implicated in the incident.
"The report suggests that all these Hong Kong-based services have a shared developer and app and are assumed to be white-label solutions that are repurposed under different brands for other companies," sats Owaida.
"This assumption is based on the services sharing the same Elasticsearch server, being hosted on the same assets, and on the fact that the services share a single recipient for payments."
The researchers ran a series of tests using one of the VPN services, UFO VPN. After downloading and using the mobile app to connect to servers around the globe, their activities were recorded in the database, comprising their personal details that included an email address, IP, address, device, and the server they connected to.
"Beyond confirming their suspicions, they also found that the database logged their username and password used to create the account," says Owaida.
The database contained technical data about the devices on which the VPNs were installed, such as the origins' IP addresses, Internet Service Provider, actual location, device model, type and ID, as well the user's network connection.
“The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user's origin IP address can be connected to their activity on the target server,” explained vpnMentor.
"In a nutshell, all the details that were logged and exposed by these self-proclaimed “no-log” VPN services could spell problems in different orders of magnitude to their users," says Owaida.
"VPNs are used for several main reasons, including to add an extra layer of security and privacy, access content that may not be strictly legal in specific countries (some outlaw pornography), bypass geo-restrictions, or by political activists.
"Depending on who is targeted by a malicious actor, the VPN users could end up getting targeted by phishing campaigns, become victims of fraud, or face blackmail, arrests and persecution," he explains.
Adhering to responsible disclosure guidelines, the researchers disclosed the security lapse to the VPN providers on July 5th and contacted the Hong Kong Computer Emergency Response Team on July 8th. The server was closed on July 15th.
"The users of any of these seven VPN providers would be well advised to consider switching to another service and change their login information on any other online accounts," says Owaida.
"This report should in no way discourage you from using a VPN, but may instead be a reminder to choose your VPN provider carefully."