Seven VPN apps accused of exposing more than a terabyte of private data
A group of free VPN apps reportedly exposed a treasure trove of private data of millions of users. Discovered by vpnMentor, a total of seven VPN providers, all of which explicitly claimed they didn’t record their users’ activities, left more than a terabyte of browsing logs out in the open for anyone to access.
The leaked data silo housed a wide range of sensitive data, some of which was personally identifiable too. VpnMentor claims it included records of the websites users visited, plain-text passwords, PayPal payment information, device specifications, email addresses, and more.
While the data since then has been taken down, vpnMentor was independently able to confirm the data was channeled from these VPN apps by browsing through new accounts and cross-verifying it with the updated database.
In addition, all of the affected VPN apps are owned by the same Hong Kong-based parent company and were simply rebranded versions of the same VPN service. They were distributed under variations of generic names such as Super VPN, Fast VPN, Flash VPN, and more — a pattern commonly found in such data leak incidents. Most of them had more than 10 million downloads on the Google Play Store and iOS App Store and their listings haven’t been pulled yet.
We’ve reached out to Google and Apple for more information and we’ll update the story when we hear back.
A spokesperson for UFO VPN argued that the database didn’t feature any personal information and that the coronavirus prevented its staff from securing the server. The email addresses, they added, were of users who had sent them feedback and accounted for less than a percent of the entire data.
“Due to personnel changes caused by COVID-19, we‘ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed,” the spokesperson told vpnMentor.