UFO VPN which said it had a strict ‘no-logs policy’ exposed user log files including account passwords of 20 million users
Researchers from Comparitech discovered an exposed database belonging to a Hong Kong-based VPN service provider called UFO VPN. The Comparitch researchers said that the database contained 20 million user logs including user passwords stored in plain text and was exposed for nearly 3 weeks. “It’s not clear how many users are affected, but our findings suggest that potentially all users who connected to UFO VPN at the time of exposure could be compromised. UFO VPN claims to have 20 million users on its website, and the database exposed more than 20 million logs per day,” Comparitech stated.
The database contained user information of both, UFO VPN free and paid service users. The server where the data is hosted was first indexed on June 27 by the search engine Shodan.io. However, the exposed database was discovered by researchers from Comparitech on July 1st, 2020. The researchers said that the data was exposed because the database hosted was on an unprotected Elasticsearch cluster. The 894 GB database contains the following user information :
- Account passwords in plaintext
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Device and OS description
UFO VPN’s strict no-logging policy
UFO VPN is owned by Hong Kong-based ToolsForest Ltd. and has a strict no-logging policy and states that any data it collects is anonymized. But it looks like the user data is far from being anonymized. Comparitech researchers say that “based on the contents of the database, users’ information does not appear to be anonymous at all.”
The company though has a different explanation “In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked,” the company told Comparitech.
How much UFO VPN cares for the user data can also be seen from the fact that Comparitech reported the data exposure to it on 1st July and the database was secured on 15 July. The company told Comparitech that, “due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.”
It is particularly frightening that UFO VPN is based in Hong Kong and could have exposed Hong Kong protestors data to the Chinese authorities.