The report of a massive data breach affecting a multiplicity of VPN apps is making waves at the moment. The report states that a total of seven Virtual Private Network services like Free VPN, Rabbit VPN, and UFO VPN somehow collectively leaked more than 1TB of user data and kept that information from users. The VPN services involved are said to have not made enough effort to protect user logs and API access, with predictable results.
UFO VPN for example was alerted to a data leak early this July. Comparitech which is one of the best security research firms around discovered that this particular VPN provider was leaking all manner of personal data and speedily moved to alert it. The leaked data totals 894GB, affects users of both the free and paid versions of UFO VPN and consists of the following:
- Account passwords in plain text
- Device and OS characteristics
- VPN session secrets and tokens
- IP addresses of user devices and the VPN servers they were connected to
- Connection timestamps
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
Once alerted to the leak, UFO VPN waited for a couple of weeks before announcing that it had patched up the source of the leak, while also insisting that no private information was leaked. It attributed its slow response to the COVID pandemic, which is not very belivable.
Comparitech compiled a report that stated as follows: “It’s not clear how many users are affected, but our findings suggest that potentially all users who connected to UFO VPN at the time of exposure could be compromised. UFO VPN claims to have 20 million users on its website, and the database exposed more than 20 million logs per day.”
The report also notes that while UFO VPN insists that it has a “strict no-logs policy” and that all collected data is anonymized, that does not appear to be the case at all, at least going by what was contained in the leaked database. According to the report “based on the contents of the database, users’ information does not appear to be anonymous at all”.
The Leak Widens
Soon after UFO VPN was found to be somehow leaking user data, vpnMentor went sleuthing and discovered that UFO VPN was not the only leaker, with 6 other VPN services being involved. These 6 comprise Free VPN, Flash VPN, Rabbit VPN, Fast VPN, Secure VPN, and Super VPN.
All 6 VPN apps still insist that their services do not engage in logging user activity or IP addresses, and this despite that precisely such data were released in the leak. The collective amount of data leaked from all 7 VPN apps is said to be around 1.2TB.
Regarding all these VPN apps and the leak, some rather startling information was uncovered by the vpnMentor team. The team discovered that all these VPNs share a lot in common, like a single payment recipient, assets, and an Elasticssearch server.
As of now, the majority of these VPN apps are still chilling pretty on the Google Playstore. Whether they will be pulled at some later time remains unclear.
What The Leak Means For Us All
As to be expected, massive data leaks like this are not funny things by any measure. They can cause a lot of pain and suffering to folks everywhere, who by virtue of the leak can expect increased exposed to fraud, blackmail, phishing attacks, doxing, hacking, and the like. With a potential 20 million people affected by this leak, there’s a good chance that result will be lives and credit ratings soiled or ruined.
The leaked plain text passwords can for example be used to take over VPN accounts. Such hijacked accounts can then be used to mount credential stuffing hacks on other accounts. Compromised IP addresses can be utilized to find those who do not wish to be found, like political dissenters, activists, and the like. In that case, the leak potentially compromises their security.
To protect themselves, all users of the abovementioned VPN services said to be involved in the leak would be well advised to secure their data as much as they can by changing all passwords used on their VPN connection. They can as well opt to jump to other VPN services that take their security much more seriously and will notify them at once of any potential or actual data breach, rather than waiting as this bunch has done and hoping that things will magically get better.