A group of free VPN apps reportedly exposed a treasure trove of private data of millions of users. Discovered by vpnMentor, a total of seven VPN providers, all of which explicitly claimed they didn’t record their users’ activities, left more than a terabyte of browsing logs out in the open for anyone to access.
The leaked data silo housed a wide range of sensitive data, some of which was personally identifiable too. VpnMentor claims it included records of the websites users visited, plain-text passwords, PayPal payment information, device specifications, email addresses, and more.
While the data since then has been taken down, vpnMentor was independently able to confirm the data was channeled from these VPN apps by browsing through new accounts and cross-verifying it with the updated database.
In addition, all of the affected VPN apps are owned by the same Hong Kong-based parent company and were simply rebranded versions of the same VPN service. They were distributed under variations of generic names such as Super VPN, Fast VPN, Flash VPN, and more — a pattern commonly found in such data leak incidents. Most of them had more than 10 million downloads on the Google Play Store and iOS App Store and their listings haven’t been pulled yet.
We’ve reached out to Google and Apple for more information and we’ll update the story when we hear back.
“We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services,” one of them called UFO VPN boldly wrote in its privacy policy.
A spokesperson for UFO VPN argued that the database didn’t feature any personal information, and that the coronavirus prevented its staff from securing the server. The email addresses, they added, were of users who had sent them feedback and accounted for less than 1% of the entire data.
“Due to personnel changes caused by COVID-19, we‘ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed,” the spokesperson told vpnMentor.
VPN apps are capable of monitoring your internet traffic and hence, it’s key to ensure the one you’ve installed has a secure infrastructure in place. If you were using any of these affected apps, here are a few alternatives.