Data from 20 million users of free VPN services are in the public domain
Experts found on open servers the data of 20 million users of free VPN services. The research group vpnMentor writes about it. The risk group includes users of UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN applications.
E-mail addresses, mobile identifiers, unprotected passwords, logs with user activity, and much more were in the public domain. The total amount of data was 1.2 terabytes. Many applications whose data are online have more than a million downloads on the Google Play and App Store and a high user rating. In addition, application developers promised their users “ protection identical to military-grade cryptosystems.”
An example of storing data of one of the Iranian users of the service
Researchers suggest that all applications whose data were on open servers are united by one owner. It turned out that the services have one payee in the person of Dreamfii HK Limited and one common Elasticsearch server for storing user data. In addition, services have a single template for recording data packets.
To check the database, the researchers downloaded the UFO VPN app. After using it, experts found data about their activity on the detected server. This confirmed the reality of the published information.
Experts found the database on July 5th. They tried to contact the developers several times and then contacted HKCERT (Hong Kong Computer Threat Response Coordination Center). July 15, the database was closed. The researchers also recommended that users of the aforementioned applications change their VPN service.