User data of seven Hong Kong based VPN providers leaked online

A vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data collected by these VPN apps has been leaked online. Interestingly enough, these VPN services claim to offer “no-log” VPNs, which would suggest they don’t keep records of any user activity on their network. At least that seems to be their big selling point. This revelation comes just days after security researcher Bob Diachenko revealed that as many as 894GB worth of records in an unsecured Elasticsearch cluster that belonged to UFO VPN were easily available for unauthorized access.

The report stated that these VPNs exposed a database of user logs and API access records without a password or authentication. A separate report pointed out that UFO VPN was just one of the several VPN service providers that were leaking private information.

At the start of July, Comparitech found that Hong Kong-based VPN provider UFO VPN exposed personal user information like plain text passwords, VPN session secrets, IP addresses, connection timestamps, geo-tags, and device and OS characteristics. The company was informed about the same and more than two weeks later, it reportedly fixed the issue, stating that no information was leaked. The leak affects both free and paid customers and reportedly all users of the service are potentially affected, taking the number to 20 million users. This amounts to 894GB of leaked data.

Following this discovery, vpnMentor found that UFO VPN was not the only one and six others that were seemingly connected to a common app developer and white labeled for other companies were found to be doing the same. These include Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. Notably, all of these apps claim they do not log any user original IP address or user activity. It was found that a total of 1.2TB of data was leaked.

The good news is that the biggest VPN companies that most people probably use, have not been implicated in this report.

The team at vpnMentor found that the VPNs share an Elasticssearch server, have a single recipient for payments, Dreamfii HK Limited, and share a lot of the assets.

Potential impact of data leak

This data leak could lead to phishing and fraud, blackmail, viral attack, hacking, doxing, and other forms of cybercrimes. Over 20 million people worldwide could have been exposed to this leak. Users are advised change their passwords or to switch to a more secure VPN service provider.

It turns out that some of the VPN apps are incredibly popular too, with very good ratings on the Google Play Store and the Apple App Store. Super VPN developed by Hong Kong based Nownetmobi has a rating of 4.6 stars on the Google Play Store and 4.9 stars on the Apple App Store. UFO VPN developed by Hong Kong based Dreamfii HK Limited has clocked 4.5 stars on the Google Play Store and 4.8 stars on the Apple App Store.

The vpnMentor research team say they have reached out to all the VPN app developers who are listed here and also the Hong Kong’s Computer Emergency Response Team (HKCERT) with the details. While some of them did not respond, others stated after several days that the issue had been fixed.