A treasure trove of private data belonging to 20 million users has been reportedly exposed by a group of free VPN (Virtual Private Network) apps. The experts at vpnMentor have discovered a total of seven VPN providers leaving more than a terabyte of browsing logs out in the open which can be accessed by anyone. However, all of them have denied recording users' activities.
Even though the database has now been secured, vpnMentor has claimed that over 20 million users' data from the seven Hong-Kong based VPN apps have been exposed online due to a lack of server-side security measures.
The report claimed that the leaked data included records of the websites visited by the users, plain-text passwords, PayPal payment information, email addresses, device specifications, and more. The researchers at vpnMentor have confirmed that the data was channeled from these VPNs by browsing through new accounts and cross-verifying it with the updated database.
1.207 TB Data Exposed
As per the report, the exposed data is 1.207 TB but the file volume exceeds one billion. It was found that these seven Hong Kong VPNs are all owned by the same Hong Kong-based parent company as they share a common server and are hosted on the same assets. The report claimed the VPN apps also had the same client for receiving payments that is Dreamfii HK Limited.
These VPNs are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. Most of these VPNs had over 10 million downloads on the Google Play Store and iOS App Store.
The report added that each of these VPNs claimed to be 'no-log' services, which meant they didn't record any user activity on their respective apps. But vpnMentor said that the researchers found multiple instances of internet activity logs on their shared server.
Tracking Users' Activity
UFO VPN wrote in its privacy policy that the VPN didn't track users' activities outside the site, and it did not "track the website browsing or connection activities of users who are using our Services."
After the recent incident, a spokesperson for UFO VPN claimed that the database didn't feature any personal information, and added that Coronavirus pandemic prevented its staff from securing the server. The spokesperson also told vpnMentor that "due to personnel changes caused by COVID-19, we've not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed."
However, VPN apps are capable of monitoring users' internet traffic. So, it is important to ensure that the installed one has a secure infrastructure in place. If you were using any of these affected apps, here are a few alternatives:
