It seems VPN services aren’t as secure as you may imagine. Well, at least some of them. It turns out that the user data of seven Hong Kong based VPN providers has been leaked online. The VPN services include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN. These services claim to have as many as 20 million users around the world. Researchers have discovered that the data of potentially all of these 20 million users has been leaked online, totalling up to as much as 1.2TB worth of data.
A vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data collected by these VPN apps has been leaked online. Interestingly enough, these VPN services claim to offer “no-log” VPNs, which would suggest they don’t keep records of any user activity on their network. At least that seems to be their big selling point. This revelation comes just days after security researcher Bob Diachenko revealed that as many as 894GB worth of records in an unsecured Elasticsearch cluster that belonged to UFO VPN were easily available for unauthorized access.
It turns out that some of the VPN apps are incredibly popular too, with very good ratings on the Google Play Store and the Apple App Store. Super VPN developed by Hong Kong based Nownetmobi has a rating of 4.6 stars on the Google Play Store and 4.9 stars on the Apple App Store. UFO VPN developed by Hong Kong based Dreamfii HK Limited has clocked 4.5 stars on the Google Play Store and 4.8 stars on the Apple App Store.
The vpnMentor research team say they have reached out to all the VPN app developers who are listed here and also the Hong Kong’s Computer Emergency Response Team (HKCERT) with the details.