Seven VPN providers Exposed Personal Data of Millions of Users

Server room

Yesterday, a report surfaced claiming that UFO VPN had leaked sensitive data and user logs. This happened despite claims from the company saying that they don’t log any data whatsoever. But another report showed that an additional six VPNs have exposed data as well. These VPNs seem to have been developed by the same app developer.

Potentially, personally identifiable information for 20 million VPN users have been exposed, if we look at the user numbers of the VPNs. It isn’t known if any unauthorized parties have accessed the data while it was exposed.

VPNs Seem to Have the Same Developer

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. All of these VPNs seem to have been developed by the same developer. They all share the same server, they are hosted on the same assets, they have a single recipient for payments, and their branding looks extremely similar. All of these details are so much alike that the VPNs almost have to have been developed by the same developer, and just rebranded several times.

But the most interesting thing these VPNs have in common is that they all claim to have a no-log policy. It has now become very clear that this isn’t true, since 1.2 TB of personal data has been exposed. Noam Rotem’s research team has shown that these VPNs logged the internet activity of millions of users. That data was then left on an exposed server, accessible to everyone.

Check Whether the Data was Actually Logged

The data that was exposed includes a lot of personal information about the VPN users. The information included full names, email addresses, home addresses, payment details, user logs, IP addresses, and passwords. And the passwords weren’t even encrypted, they were in plaintext.

Of course, the researchers wanted to confirm that the data that they found was actually collected by the VPNs. So they did a test. They used UFO VPN to connect to several servers around the world. The researchers found the following:

“Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to. Furthermore, we could clearly see the username and password we used to register our account, stored in the logs as cleartext. This confirmed that the database was real and the data was live”.

Lack of Response From VPNs

The research team reached out to the VPNs and their developers as soon as they had identified the exposed server, so that the data could be secured. The limited communication between the research team and the providers and developers seemed to lead nowhere. But, after ten days the team verified that the database had been secured. So, the communication might not have been great, but the data was secure again.

UFO VPN Response

The UFO VPN team was the only VPN to reply in more detail. They explained that “Due to personnel changes caused by COVID-19, we‘ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed”.

But the company also said that they do not collect home addresses. Which, based on the research had been proven to be an incorrect statement. They also claimed that the clear text passwords that were found are not password to users’ accounts, but tokens to connect VPN servers. Login passwords are all encrypted when transferred and stored, according to UFO VPN.

Another research team, led by Bob Diachenko, had also found out that the server was exposed and contacted UFO VPN. They received a similar response from a spokesperson. “We don’t collect any information for registering,” the spokesperson said. “In this server, all the collected information is anonymous and only used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.”

The Data was Not Encrypted

Anyone with malicious intent could have accessed the server and used that information. That is why the researchers only published their results two days ago. They wanted to give the providers and relevant authorities time to fix the problem. As soon as they got confirmation that the exposed server was protected again, they released the results of their research.

The data that was found on the server wasn’t just unprotected, is was also not encrypted. And the logs that were found contained a lot of personal information. The email addresses could be used for phishing campaigns or other scams. And the passwords can be used to log into the VPN account, or any other account that shares the same password. The exposed data could even be used for identity theft.

Risks of Free VPNs

People often use a VPN to protect their privacy. It very important that you take a close look at the logging policy of a VPN, because it’s not ideal when a provider keeps a log. That kind of defeats the purpose.

Many of the VPNs involved in this data exposure were free VPNs. Which illustrates why we don’t recommend you save money on the protection of your privacy. Free VPNs usually don’t have the best security and privacy standards. A VPN shouldn’t keep logs or log your IP address.

If you are a user of one of these VPNs, then this is the time to stop using it and find a replacement. And if you really don’t want to stop using it, then at least change your password. That goes for any other account that shares the same password as well.

Cybersecurity analyst
David is a cyber security analyst and one of the founders of Interested in the "digital identity" phenomenon, with special attention to the right to privacy and protection of personal data.