If you are using any of these VPN services, now is the time to call it quits.
Yesterday, Hackread.com reported on UFO VPN leaking sensitive customer data and user logs despite claiming it does not store user logs at all. Turns out, the problem is much deeper.
According to a report by vpnMentor, databases of 6 other VPN firms namely FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN were also exposed placing a whopping 1.207 TB of data with 1,083,997,361 records exposed to public access.
What’s perhaps most shocking is that all of these VPN service providers take great pride in flaunting their “no-logs” policies but the truth seems far from it now that it has come to light.
The data exposed includes full names, email addresses, physical addresses, financial information, passwords in plaintext, user logs, user support messages, and much more such as API links.
Furthermore, meta details such as technical specifications of user devices, identities of the Internet Service Providers (ISPs) being used, the sites visited along with the user’s IP address from which they initially connected to the VPN were leaked.
Screenshot of the details of a user from Tehran, Iran.
Now, to confirm that the data was actually being collected as they found out initially, the researchers went as far as to conduct tests themselves. The findings weren’t amusing – at all. In their own words, researchers wrote in a blog post that:
To confirm our initial findings, we ran a series of tests using UFO VPN. After downloading it to a phone, we used the UFO VPN app to connect to servers around the world. Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to.
Furthermore, we could clearly see the username and password we used to register our account, stored in the logs as cleartext. This confirmed that the database was real and the data was live.
The reason all of these VPN services were found vulnerable at the same time can be attributed to using the same developer as alleged by the researchers. The reason they say so is that these firms have a common Elasticsearch server, use the same recipient for payments, have highly similar branding on their sites, and are “hosted on the same assets” indicating more of a white-labeling effort than these companies offering their services independently.
The repercussions of course are quite severe. Such data could be used by any threat actor to unauthorizedly access the accounts of all of these users along with any other accounts where these credentials are re-used.
Phishing campaigns, spamming, financial fraud, and the compromise of critical user privacy are other consequences. Additionally, in countries where civil rights are not given much importance, the wellbeing of the users could also have been compromised, especially if someone was trying to circumvent censorship.
To conclude, all these companies were contacted starting from the 5th of July, 2020 to the 15th. The good news is that all databases have been secured but the bad news is that these VPN companies have millions of users worldwide using their services with faith that they are protected and their browsing data is hidden from online malicious elements – which is far from the truth.
If there is any takeaway from this entire ordeal, it is that do not try to save money when choosing a VPN, simply go with the ones who have built trust for years, not those who can make promises but seldom follow them.
For users of any of these VPNs: RUN – now is the chance to, what these VPN firms were doing is akin to defrauding their users and no apology could make up for it.