Seven free VPN apps created by a Hong Kong-based developer were found leaking the personal data of over 20 million VPN users worldwide as their server was found to be completely open and accessible to third parties.
The massive data leak was discovered by security researchers at vpnMentor who noted that the shared server, that hosted data collected by the free VPN apps, stored over 1.2TB of data that included 1,083,997,361 data records including email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical information belonging to over 20 million users worldwide who used these apps.
These free VPN apps, namely UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, claimed that they were “no-log” VPNs and did not store any user data but researchers found that their shared server contained detailed internet activity logs of millions of users. The apps also boasted military-grade security but their shared server also contained unencrypted plain text passwords.
To verify the authenticity of data stored in the shared server, the researchers downloaded a UFO VPN app to a phone and then used the app to connect to servers around the world. As soon as they did so, they found new activity logs in the Elasticsearch database that contained an email address, location, IP address, and other information about the device that was used to download and run the app.
Aside from the personal information, IP addresses, and location of millions of users, the researchers also found details of websites visited by Internet users using the seven VPN apps, messages sent by app users to customer service agents, sensitive Paypal API links along with the full names, emails, and addresses of users, as well as Huawei-labeled data entries not only related to users’ devices.
Poor security controls in free VPN apps placed millions of users in great danger
"Many of the millions of VPN users exposed in this leak live in countries with violently repressive governments, such as Iran and Sudan. The threat of government surveillance and arrest for innocently using the internet is why VPNs are so popular in these countries in the first place.
"By recording their users’ activities and logging so much of their PII data, despite explicitly promising not to, these VPNs have betrayed their most vulnerable users and exposed them to great danger. Had the records we viewed been leaked onto the dark web or shared openly, repressive governments could use them to target users in their country for arrest, detention, and imprisonment," vpnMentor said.
Commenting on the massive leak of customer records from all over the world, Boris Cipot, senior security engineer at Synopsys, said that in this case, VPN providers were collecting data that they then tried to monetize. While they had not anticipated a breach, it is now an unfortunate reality that puts many of their users at risk.
"When selecting a VPN provider, it is important that you check that they won't keep any logs or collect data on you and your activities online. If the data collected does lead back to you, then the VPN is not doing what it's intended for. It would be better to not use their VPN service," he added.
ALSO READ: NCSC highlights vulnerabilities in VPN products used across industries