FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN all of which have strict no-logging policy leaked a whopping 1.207 TB of user data
Yesterday we had reported how Comparitech researchers found an unprotected Elacticsearch UFO VPN user log database leaking user details of 20 million users. Now a research team from vpnMentor found another six VPN service providers leaking a whopping 1.207TB of user data in with 1,083,997,361 records.
All these seven VPN service providers have a strict no-logging policy in place and yet maintained a detailed and meticulous user log for each and every user. The database contains user activity logs, usernames, emails, home address, cleartext passwords, bitcoin payment information, support messages, personal device information, tech specs, account info, and direct Paypal API links according to vpnMentor.
The VPN server users connected to were also exposed, including its region and IP address. This makes using such VPN service virtually useless, as the user’s origin IP address can easily be connected to their activity on the target server. To check whether the database was concurrent, the vpnMentor team signed themselves up for UFO VPN, and immediately their user log was created.
To confirm our initial findings, we ran a series of tests using UFO VPN. After downloading it to a phone, we used the UFO VPN app to connect to servers around the world. Upon doing so, new activity logs were created in the database, with our personal details, including an email address, location, IP address, device, and the servers we connected to.
Like the UFO VPN, these six VPN services took 15 days to secure the unprotected database exposing millions of users to fraud, identity theft, doxing, blackmail, extortion, spamming, and hacking. If the Hong Kong protestors were using these VPNs to stay connected or organize meetings/protests, their data could be in the wrong hands and they could face arrest/persecution.
All seven VPN service providers were based in Hong Kong and used the same common Elasticsearch server. In fact, their marketing agency and branding/advertisement are also the same. Each of these VPN had a million-plus download with two having 10 million+ downloads.
All these seven VPN companies had a strict no-logging policy yet maintained detailed logs of their users breaching privacy. If you are using any of these seven VPN’s you should uninstall them as soon as possible.