sb-eu logo
Story image

7 VPN services leaked data of 20 million users - report

Seven Virtual Private Network providers leaked the data of more than 20 million uses, according to a new report from vpnMentor. 

The providers, who claimed not to keep any logs of their users’ online activities, left 1.2 terabytes of private user data exposed. The data, found on a server shared by the services, included the Personally Identifiable Information (PII) of potentially as many as 20 million VPN users.

Amer Owaida from ESET's Welivesecurity, says the report calls into question the providers’ security practices and dismisses their claims of being no-log VPN services.

"Besides the personal details, which included the users’ email and home addresses, clear text passwords, and IP addresses, the server was also found to store several instances of internet activity logs, which casts doubt on the providers’ claims about strict no-logs policies," he explains.

UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN are all implicated in the incident. 

"The report suggests that all these Hong Kong-based services have a shared developer and app and are assumed to be white-label solutions that are repurposed under different brands for other companies," sats Owaida.

"This assumption is based on the services sharing the same Elasticsearch server, being hosted on the same assets, and on the fact that the services share a single recipient for payments."

The researchers ran a series of tests using one of the VPN services, UFO VPN. After downloading and using the mobile app to connect to servers around the globe, their activities were recorded in the database, comprising their personal details that included an email address, IP, address, device, and the server they connected to. 

"Beyond confirming their suspicions, they also found that the database logged their username and password used to create the account," says Owaida.

The database contained technical data about the devices on which the VPNs were installed, such as the origins’ IP addresses, Internet Service Provider, actual location, device model, type and ID, as well the user’s network connection. 

“The VPN server users connected to was also exposed, including its region and IP address. This makes the affected VPN service virtually useless, as the user’s origin IP address can be connected to their activity on the target server,” explained vpnMentor.

"In a nutshell, all the details that were logged and exposed by these self-proclaimed “no-log” VPN services could spell problems in different orders of magnitude to their users," says Owaida.

"VPNs are used for several main reasons, including to add an extra layer of security and privacy, access content that may not be strictly legal in specific countries (some outlaw pornography), bypass geo-restrictions, or by political activists.

"Depending on who is targeted by a malicious actor, the VPN users could end up getting targeted by phishing campaigns, become victims of fraud, or face blackmail, arrests and persecution," he explains.

Adhering to responsible disclosure guidelines, the researchers disclosed the security lapse to the VPN providers on July 5th and contacted the Hong Kong Computer Emergency Response Team on July 8th. The server was closed on July 15th.

"The users of any of these seven VPN providers would be well advised to consider switching to another service and change their login information on any other online accounts," says Owaida.

"This report should in no way discourage you from using a VPN, but may instead be a reminder to choose your VPN provider carefully."

Story image
SentinelOne signs Netpoleon as security distributor in Asia Pacific Japan
“Working with a partner that understands our needs and can provide access and reach across a diverse region with strong security expertise, makes partnering with Netpoleon compelling and a logical choice for our next phase of growth."More
Story image
80% of security breaches involve exposure of customer data - IBM
The new report from IBM indicates that 80% of surveyed organisations reported having exposed customers’ personally identifiable information (PII) as a result of a breach.More
Story image
Security teams face mounting stress, call for execs to step in
“With more organisations operating under remote work conditions, the attack surface has broadened, making security at scale a critical concern. This is a call to action for executives to prioritise alleviating the stress."More
Story image
Distributed workforces pose new challenges for information management
“Collaboration can be stymied, mistakes can be made, and organisations can suffer data breaches if they don’t immediately address the issue of how employees are accessing and sharing information while working remotely.”More
Story image
Why greater network visibility is needed to reduce the threat posed by IoT in the enterprise
At home and abroad, organisations have joined the rush to embrace Internet of Things (IoT) technology, but a new survey shows they’re only just beginning to wake up to the enormous risk those devices pose, writes ExtraHop A/NZ Regional Sales Manager Glen Maloney.More
Story image
Fortinet unveils firewall offering for hyperscale & 5G environments
The company continues to push the boundaries of hardware-accelerated performance for security and networking convergence.More