Nowadays a vpn is becoming almost essential when it comes to online activity, but these Free VPN’s which claimed to keep a ‘ZERO’ Log Policy weren’t being as honest as they made out. Yes you read it right, UFO VPN Leak Private Data Of Over 20 Million Users.
Which VPN’s Were Involved
There were several involved but the biggest Apps were, UFO VPN, FAST VPN & Rabbit VPN. In total they had over 20 million users and although they stated they have a zero log policy, they were able to leak over 1tb of users private information.
UFO is the main VPN in question as it was by far the biggest and also had a premium subscription option. This means paid users will also have registered using a username and password which are also used for other accounts such as banking, subscriptions, PayPal etc.
At the start of July, Comparitech found that Hong Kong-based VPN provider UFO VPN exposed personal user information like plain text passwords, VPN session secrets, IP addresses, connection timestamps, geo-tags, and device and OS characteristics. The company was informed about the same and more than two weeks later, it reportedly fixed the issue, stating that no information was leaked. The leak affects both free and paid customers and reportedly all users of the service are potentially affected, taking the number to 20 million users. This amounts to 894GB of leaked data.
Following this discovery, vpnMentor found that UFO VPN was not the only one and six others that were seemingly connected to a common app developer and white labeled for other companies were found to be doing the same. These include Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. Notably, all of these apps claim they do not log any user original IP address or user activity. It was found that a total of 1.2TB of data was leaked.
What Data Was Leaked
Although UFO VPN claimed none of the following was stored, there is now evidence to think otherwise. Below is the user data which could have been compromised:
- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
“We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”
Could You Be At Risk
We saw a post from Streaming Privacy which shows the dangers of the exposed data and what could be at risk.
The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.
IP addresses could be used to discern users’ whereabouts and corroborate their online activity. VPNs are often used to hide users’ real locations and online activity.
The session secrets and tokens could be used to decrypt session data that an attacker might have captured. For example, if an attacker intercepted encrypted data being sent through the VPN on a compromised wi-fi network, they could conceivably decrypt that data with this information.
Email addresses could be used to target users with tailored phishing messages and scams.
This exposure demonstrates why we routinely encourage readers to avoid free VPN services, which tend to have subpar security and privacy standards. Ideally, a VPN service should keep no logs including IP addresses.