Internet security researchers from Cybernews uncovered a repository containing more than 18 GB of connection logs generated by the app. It was reported that more than 25 million records contained details such as device IDs, Play Service IDs, IP addresses, and connection stamps.
Millions of databases are vulnerable now
The logs of personally identifiable information of its users were noticed by the researchers using ElasticSearch for a routine checkup. The information from this database can be used to identify Bean VPN’s users and detect their close location using geo-IP databases. The Play Service ID can reveal the user’s email address that they are signed in to their device.
The Bean VPN app is not available on Apple’s app store and has more than 50,000 downloads on the Google Play Store where eventually it appears to have been pulled from. On its website, the company says it doesn’t keep user activity logs including no logging of browsing history, traffic destination, data content, or DNS queries. Its privacy policy reads;
« We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, i.e., no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration. We designed our systems not to have sensitive data about you; even when compelled, we cannot provide data that we do not possess.»
VPNs tools are used to keep one’s privacy when going online. By disguising the terminal’s true IP address and whereabouts, the user can avoid many censorships and geographical restrictions. After invading Ukraine, the Russian government implemented a blockage on its citizens banning western media outlets, which increased an extensive peak in VPN downloads in the country.