Virtual Private Network or VPN services including UFO VPN, Rabbit VPN, Free VPN, and four more have been found to have leaked over 1TB of private user information, as per a new report. A report stated that these VPNs exposed a database of user logs and API access records without a password or authentication. A separate report pointed out that UFO VPN was just one of the several VPN service providers that were leaking private information.
At the start of July, Comparitech found that Hong Kong-based VPN provider UFO VPN exposed personal user information like plain text passwords, VPN session secrets, IP addresses, connection timestamps, geo-tags, and device and OS characteristics. The company was informed about the same and more than two weeks later, it reportedly fixed the issue, stating that no information was leaked. The leak affects both free and paid customers and reportedly all users of the service are potentially affected, taking the number to 20 million users. This amounts to 894GB of leaked data.
Following this discovery, vpnMentor found that UFO VPN was not the only one and six others that were seemingly connected to a common app developer and white labeled for other companies were found to be doing the same. These include Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. Notably, all of these apps claim they do not log any user original IP address or user activity. It was found that a total of 1.2TB of data was leaked.
The good news is that the biggest VPN companies that most people probably use, have not been implicated in this report.
The team at vpnMentor found that the VPNs share an Elasticssearch server, have a single recipient for payments, Dreamfii HK Limited, and share a lot of the assets. They reached out to the various VPN services involved and while some of them did not respond, others stated after several days that the issue had been fixed. Most of these VPN apps are still listed on the Google Play store.
Potential impact of data leak
This data leak could lead to phishing and fraud, blackmail, viral attack, hacking, doxing, and other forms of cybercrimes. Over 20 million people worldwide could have been exposed to this leak. Users are advised change their passwords or to switch to a more secure VPN service provider.