#LeakAlert: 7 VPN services leaked 1.2TB private user data
What's the story
In a major shocker, seven virtual private network (VPN) providers, all hailing from Hong Kong, have been caught leaking private data of their users. The free services left as much as 1.2TB of data exposed on a shared yet unprotected server, leaving it open to be mined and used by anyone who knew where to look. Here is more about it.
Services
Which VPN services have been affected?
Discovered by the research team at vpnMentor, the massive database of information was being exposed through an Elasticsearch server that had no security measures. It was live and out there in the open, exposing personally identifiable information collected through seven different apps - UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN - used by 20 million+ people worldwide.
Information risk
What kind of information was being exposed?
Even though all the VPN services in question claim that they do not keep a log of their users' activity, the leaked database tells a different story. It hosts 1.2TB of information on the users of the services, including their internet activity logs, email addresses, plain text passwords, IP addresses, home addresses, payment information, phone models, device IDs, and other technical details.
Possibility
All services reportedly connected to one entity
During its analysis, the researchers at vpnMentor noted signs indicating that all the seven apps may have been developed by a single entity - possibly Dreamfii HK - and then white-labeled for use under different brand names. All the apps were on the same server; they redirected payments to Dreamfii, and at least three of them had a nearly identical web page.
Action
After alarms, some information was locked
As vpnMentor raised alarms over the issue, some of the data being exposed was protected. UFO VPN, which had over 10 million downloads, claimed it could not lock down the information due to the pandemic and the staff changes stemming from it. It also maintained that the company collected logs for performance monitoring and had kept them in an anonymized form, which vpnMentor refuted.
Risk
Either way, this is a major problem
The leak not just highlights a major security issue with white-labeled VPN services, but also puts government critics at risk. VPN services are often used by activists and journalists to dodge censorship and voice their opinion by eluding ISP-level surveillance, but if their information gets leaked this way, they could easily be tracked down, especially in places like China.