#LeakAlert: 7 VPN services leaked 1.2TB private user data

Discovered by the research team at vpnMentor, the massive database of information was being exposed through an Elasticsearch server that had no security measures.

It was live and out there in the open, exposing personally identifiable information collected through seven different apps - UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN - used by 20 million+ people worldwide.

Even though all the VPN services in question claim that they do not keep a log of their users' activity, the leaked database tells a different story.

It hosts 1.2TB of information on the users of the services, including their internet activity logs, email addresses, plain text passwords, IP addresses, home addresses, payment information, phone models, device IDs, and other technical details.

During its analysis, the researchers at vpnMentor noted signs indicating that all the seven apps may have been developed by a single entity - possibly Dreamfii HK - and then white-labeled for use under different brand names.

All the apps were on the same server; they redirected payments to Dreamfii, and at least three of them had a nearly identical web page.

As vpnMentor raised alarms over the issue, some of the data being exposed was protected.

UFO VPN, which had over 10 million downloads, claimed it could not lock down the information due to the pandemic and the staff changes stemming from it.

It also maintained that the company collected logs for performance monitoring and had kept them in an anonymized form, which vpnMentor refuted.

The leak not just highlights a major security issue with white-labeled VPN services, but also puts government critics at risk.

VPN services are often used by activists and journalists to dodge censorship and voice their opinion by eluding ISP-level surveillance, but if their information gets leaked this way, they could easily be tracked down, especially in places like China.