User data from seven Hong-Kong based Virtual Private Network (VPN) apps was exposed online due to lack of server-side security measures, according to a report by vpnMentor. You may also note that the Rabbit VPN app is no longer available on the Google Play Store.
As per vpnMentor researchers, a VPN analyser, a server shared by several free VPN providers like Super VPN, Fast VPN, Free VPN, UFO VPN, Rabbit VPN, Flash VPN and Secure VPN, was exposed online without any authorization. Details include the Personally identifiable information like email addresses, home addresses, clear text passwords, IP addresses etc. Again, all these services have apps on the Play Store, each ranging from 10 thousand to 1 million installs. Researchers have discovered that the data of potentially all of these 20 million users has been leaked online, totalling up to as much as 1.2TB worth of data.
It also maintained that the company collected logs for performance monitoring and had kept them in an anonymized form, which vpnMentor refuted. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks.
Once UFO VPN was informed about the leak, it reportedly fixed the issue. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.
The team at vpnMentor found that the VPNs share an Elasticssearch server, have a single recipient for payments, Dreamfii HK Limited, and share a lot of the assets.
After the recent incident, a spokesperson for UFO VPN claimed that the database didn't feature any personal information, and added that Coronavirus pandemic prevented its staff from securing the server. It is all too simple for some organizations to rebrand providers without having getting held to account for their claims.
Why are VPN servers being removed from Hong Kong?With these happening, it might be risky for the region since threats to authorities may take advantage of VPNs to stay away from censorship and surveillance from mainland China.
This data leak shouldn't be taken lightly, as it may lead to numerous cases of phishing and fraud. In the meantime, if you use one of the affected services, it's probably time to start changing passwords.