According to claims of user numbers made by the VPNs, the vpnMentor research team, led by Noam Rotem, found Personally Identifiable Information (PII) data for potentially over 20 million VPN users. A common app developer and owner seem to connect UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. Although these VPNs claim that their services don’t record any user activity on their respective apps, the team found multiple instances of internet activity logs on their shared server.
5 free VPN providers are affected
The team viewed detailed activity logs from each VPN and found that every VPN does not provide military-grade security features and zero logs policies to reinforce their users’ information security, as they said. For instance, UFO VPN states that they are the #1 free VPN and boasts over 20 million users. However, many of the VPNs claim their apps are ‘zero logs’, including Free-vpn.io.
The vpnMentor research team said,
“This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details. We believe that the VPNs are ‘white-labeled apps, created by one entity and rebranded for use under multiple names.”
It was surprising for the team to see that some of the VPN package names also appear in the URL for the apps on Google Play, while others may be for Windows or Mac versions of the same app. To confirm their initial findings, they ran a series of tests using UFO VPN. They summarized this test, saying,
“Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to. Furthermore, we could see the username and password we used to register our account, stored in the logs as cleartext. This confirmed that the database was real and the data was live.”
UFO VPN Team denied data leak
After confirming the leak, they contacted VPN Developers. Mobipotato HK Limited (FAST VPN) responded quickly but seemed unaware of the issues with an unsecured server.
UFO VPN Team sent this response:
- Due to personnel changes caused by COVID-19, we‘ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.
- Potential risk time: Jun 29 – Jul 13
- We do not collect and restore users’ home addresses. In this server, all the collected information is anonymous and only used to analyze the user’s network performance & problems to improve service quality. Some feedback sent by users contain email; however, the number is very small, less than 1% of our users.
- ‘clear text passwords are not the password for logging in their accounts. It must be the tokens to connect VPN servers, and we collect it within feedback from users to check if the wrong token is applied. We name it “password” in feedback and store it in cleartext. But for user accounts and logging-in passwords, we have all of them encrypted when transferring and storing.”
The research team concluded this statement was incorrect. The exposed server was still live, with recent entries included in the logs. The exposed database is containing a lot of personal details about users and technical information about the devices on which the VPNs were installed, including:
- Connection logs, traffic, and sites visited
- Origin IP addresses
- Internet Service Provider (ISP)
- Actual location
- Device type
- Device ID
- App version
- Phone models
- User network connection
The confirmation of test
The vpnMentor research team shared many screenshots to confirm the database was live and the contents were real.
On the side of impacts on VPN users, malicious hackers and cybercriminals could create very effective phishing campaigns. A phishing campaign involves sending fake emails to a target, imitating a real business. If malicious hackers had access to the VPN records, they could target users for blackmail and extortion, threatening to expose their private.
Many of the millions of VPN users exposed in this leak live in countries with violently repressive governments, like Iran and Sudan. The affected VPN users are recommended to switch to a more secure provider.