Report challenges providers’ security practices and rejects claims of being unregistered VPN services
Seven virtual private network (VPN) providers who claim to keep no record of their users’ online activities recently left 1.2 terabytes of private user data exposed to anyone who comes looking. The data, found on a server shared by the services, included the personally identifiable information (PII) of potentially up to 20 million VPN users, said vpnMentor researchers, who discovered the leak.
In addition to personal data, which included users’ home and email addresses, clear text passwords, and IP addresses, the server was also found to store multiple instances of Internet activity logs, casting doubt on vendor claims about strict records. policies
UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN are involved in the incident. The report suggests that all of these Hong Kong-based services have a shared developer and app and are supposed to be white-label solutions that are reused under different brands for other companies. This assumption is based on the services that share the same Elasticsearch server, which are hosted on the same assets, and on the fact that the services share a single recipient for payments.
The researchers conducted a series of tests using one of the VPN services, UFO VPN. After downloading and using the mobile app to connect to servers around the world, his activities were recorded in the database, which comprises his personal data including an email address, IP, address, device and the server he they connected. Beyond confirming their suspicions, they also discovered that the database registered their username and password to create the account.
The database even contained technical data on the devices on which the VPNs were installed, such as the IP addresses of the origins, the Internet service provider, the actual location, model, type and identification of the device, as well such as the user’s network connection. “Connected VPN server users were also exposed, including their region and IP address. This makes the affected VPN service practically useless, since the user’s source IP address can connect to their activity on the destination server, ”explained vpnMentor.
In a nutshell, all the details that were logged and exposed by these self-proclaimed “unregistered” VPN services could mean problems of different orders of magnitude for their users. VPNs are used for several main reasons, including adding an additional layer of security and privacy, accessing content that may not be strictly legal in specific countries (some illegal pornography), avoiding geographic restrictions or political activists.
Depending on who the target of a malicious actor is, VPN users could end up being targeted by phishing campaigns, become victims of fraud, or face blackmail, arrest and prosecution.
Following responsible disclosure guidelines, investigators revealed the security lapse to VPN providers on July 5.th and contacted the Hong Kong Computer Emergency Response Team on July 8th. The server was shut down on July 15.th.
Users of any of these seven VPN providers are encouraged to consider switching to another service and changing their login information to any other online account. This report should not discourage you in any way from using a VPN, but can be a reminder to choose your VPN provider carefully.
