sb-nz logo
Story image

7 VPN services leaked data of 20 million users - report

Seven Virtual Private Network providers leaked the data of more than 20 million uses, according to a new report from vpnMentor. 

The providers, who claimed not to keep any logs of their users’ online activities, left 1.2 terabytes of private user data exposed. The data, found on a server shared by the services, included the Personally Identifiable Information (PII) of potentially as many as 20 million VPN users.

Amer Owaida from ESET's Welivesecurity, says the report calls into question the providers’ security practices and dismisses their claims of being no-log VPN services.

"Besides the personal details, which included the users’ email and home addresses, clear text passwords, and IP addresses, the server was also found to store several instances of internet activity logs, which casts doubt on the providers’ claims about strict no-logs policies," he explains.

UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN are all implicated in the incident. 

"The report suggests that all these Hong Kong-based services have a shared developer and app and are assumed to be white-label solutions that are repurposed under different brands for other companies," sats Owaida.

"This assumption is based on the services sharing the same Elasticsearch server, being hosted on the same assets, and on the fact that the services share a single recipient for payments."

The researchers ran a series of tests using one of the VPN services, UFO VPN. After downloading and using the mobile app to connect to servers around the globe, their activities were recorded in the database, comprising their personal details that included an email address, IP, address, device, and the server they connected to. 

"Beyond confirming their suspicions, they also found that the database logged their username and password used to create the account," says Owaida.

The database contained technical data about the devices on which the VPNs were installed, such as the origins’ IP addresses, Internet Service Provider, actual location, device model, type and ID, as well the user’s network connection. 

“The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server,” explained vpnMentor.

"In a nutshell, all the details that were logged and exposed by these self-proclaimed “no-log” VPN services could spell problems in different orders of magnitude to their users," says Owaida.

"VPNs are used for several main reasons, including to add an extra layer of security and privacy, access content that may not be strictly legal in specific countries (some outlaw pornography), bypass geo-restrictions, or by political activists.

"Depending on who is targeted by a malicious actor, the VPN users could end up getting targeted by phishing campaigns, become victims of fraud, or face blackmail, arrests and persecution," he explains.

Adhering to responsible disclosure guidelines, the researchers disclosed the security lapse to the VPN providers on July 5th and contacted the Hong Kong Computer Emergency Response Team on July 8th. The server was closed on July 15th.

"The users of any of these seven VPN providers would be well advised to consider switching to another service and change their login information on any other online accounts," says Owaida.

"This report should in no way discourage you from using a VPN, but may instead be a reminder to choose your VPN provider carefully."

Story image
rhipe adds Octopus licensing solutions to distie portfolio
The addition of Octopus Cloud provides rhipe partners with licensing solutions and management processes to support cloud transformation initiatives.More
Story image
Trend Micro launches cloud native security solution for modern applications and APIs
“Application security is an invaluable part of the Cloud One platform, integrating technology to provide superior protection for customers deploying applications wherever it makes the most sense for them."More
Story image
Video: 10 Minute IT Jams - Vectra AI exec discusses cybersecurity for Office 365
In Techday's second IT Jam with Vectra AI, we speak again with its head of security engineering Chris Fisher, who discusses the organisational impact of security breaches within Microsoft O365, why these attacks are on the rise, and what steps organisations should take to protect employees from attacks.More
Story image
How a vantage point sees threats before they impact
When the focus has been on adversaries that develop increasingly complex and sophisticated attacks, tried and true techniques such as compromised credentials continue to be amongst the most potent weapons.More
Story image
Forrester names Thycotic a Leader in privileged access management
Thycotic received the highest possible score in 11 of the 24 criteria in the study, including SaaS/cloud, innovation roadmap, and integrations, deployment, supporting products and services, commercial model, and PIM installed base.More
Story image
Kaspersky unveils two major update to its Transparency Initiative
The company has announced the opening of a new Transparency Center, as well as the ompletion of a widespread transferal of data storage and processing activities to Switzerland.More