Seven VPN services that claim they never record user traffic have been found to do exactly that, and filter that information on the Internet, according to vpnMentor security researchers.
Earlier this month, vpnMentor discovered a single open server that contained user information from seven different Hong Kong-based VPN services, including UFO VPN, Fast VPN, and Free VPN.
In total, the server contained 1.2TB of data, including names, user passwords, email addresses, and private addresses for various clients. But the real startling finding was the logs of stored activity, which can reveal which sites customers visit and through which user IDs, IP addresses, and devices.
The incident is quite surprising, considering that many people who subscribe to VPN do so to protect their privacy. However, the exposed server essentially gave anyone an easy way to monitor the activities of up to 20 million users.
(Credit: vpnMentor)
Each of the affected providers also claims to offer “unregistered” VPN services, which means that detailed user traffic is supposedly never logged. However, the exposed server indicates that this was far from the truth. “In some cases, illegal sites were accessed from countries where viewing such content is an illegal and punishable activity,” said vpnMentor.
According to the investigation, the exposed server appears to belong to a main company, which then runs the seven VPN services under different brands. VpnMentor contacted the affected providers on July 5, but it wasn’t until July 15 when the exposed server was finally secured.
UFO VPN told investigators: “Due to the personnel changes caused by COVID-19, we have found no errors in the server firewall rules right away, which will lead to the potential risk of being hacked. And now it has been fixed. In the same statement, UFO VPN said that all the information on the server was “anonymous” and was simply used to analyze users’ network performance.
VpnMentor says that is false. To verify their findings, the researchers tested the UFO VPN app and noted that their user activity logs appeared on the exposed server in real time. “In addition, we were able to clearly see the username and password that we used to register our account, stored in the registries as plain text,” they added.
The incident underscores how some VPN providers can be quite scammers. Lesson: Commercial VPN services lie. A lot, “security researcher Kenneth White tweeted.
If you subscribe to UFO VPN or the other six providers, we recommend that you find a better alternative. Some VPN providers have also endeavored to perform a security audit to demonstrate that they have a no-registration policy. Others are joining in a “trust initiative” to help ensure that the VPN industry is using best practices in security and privacy.
