7 VPN Providers Are Accused of Leaking the Personal Information of 20 Million Users
We've often said on these pages that everything you read on the internet should be taken with a pinch of salt, and unfortunately, we have far too many examples of why this advice is more valid than ever. A team of researchers from VPNMentor recently provided us with yet another one.
The discovery concerned a total of seven Virtual Private Network (VPN) apps that all promise not to store or record any personal and activity data of the people who use them. In reality, however, the researchers proved that the apps were not only recording quite a lot of information, but they were also putting it in a server that was exposing it to the whole world.
VPN apps put users' data in an unprotected Elasticsearch database
The names of the apps are UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. The apps may come under different names, but the researchers are almost convinced that they were created by the same developer. They are all based in Hong Kong, some of them have similar-looking websites, and, last but not least, they all store users' data on the same backend infrastructure.
Unfortunately, the experts discovered the last bit of information after they found an Elasticsearch database that was not protected by a password and hosted about 1.2TB of user data. If the VPN providers' claimed userbases are to be believed, the number of affected individuals could be as high as 20 million, and for some of them, the consequences of the leak could be quite serious.
Personal data, plaintext passwords, and activity logs were exposed
The researchers were curious to find out if the information was real. To do that, they downloaded one of the apps (UFO VPN), signed up, and started using it. Moments later, the email address and the cleartext password they used to register the account appeared in the unsecured Elasticsearch database.
In addition to the login data, the experts found quite a lot of personally identifiable information, including names, physical addresses, and home IPs. Sensitive PayPal API links could reveal paying customers' accounts at the payment processor, and there was also information on which servers they connected to when they used the apps.
One of the researchers' most shocking discoveries, however, was the presence of activity logs. VPNMentor's experts shared screenshots of records that contain the location of the user, the type of connection they were using, the timestamp, and the domain they were trying to reach. So much for the claims that no browsing data is stored.
The impact for users could be devastating
There was very little private about the virtual private networks provided by these seven apps, and this could be a big problem for the people who were using them. One of the screenshots VPNMentor shared, for example, shows that a person in Iran was using the VPN to view adult materials. Pornography is forbidden in Iran, and if that person is identified, they could be facing jail time.
Furthermore, VPNs, in general, are often used by activists and people who really don't want to reveal their true identity, and the seven apps that exposed their data could have put them in a very precarious situation. It's a good thing that the database was secured and the information is no longer publicly accessible. Bringing it down was more difficult than it should have been, though.
The VPN providers claim that they've done nothing wrong
VPNMentor's experts discovered the database on July 5, and they immediately set off to inform the VPN providers. Only one of the companies replied initially, and it seemed to be unsure of what's going on. The researchers' communication with Hong Kong's Computer Emergency Response Team (CERT) didn't bear any fruit, either. Because the server was located in the US, Hong Kong's authorities could do little about it.
On July 15, the database was finally taken offline, and the researchers received a reply from UFO VPN, the largest of the impacted VPN providers. The email said that UFO VPN overlooked the configuration mistake due to "personnel changes" related to the COVID-19 pandemic. They tried to assure the researchers that they don't store users' passwords in plaintext and that they don't record any browsing activity. The leak itself is proof that this wasn't the case.
For a while now, there's been a bit of a debate whether using a VPN is a good idea if you want to hide your identity. Incidents like this one certainly don't help the case for VPNs, and over the years, we've heard about quite a few providers that don't do enough to protect users' privacy. That being said, a well-configured virtual private network offered by a company that doesn't want to spy on you could be extremely useful not only when you want to access content that is unavailable in your country, but also when you are trying to maintain a level of anonymity. Ultimately, leaks like this one prove that users should be extremely careful when they're picking a VPN provider.