- A collection of 21 million user records has appeared online, allegedly combining data from three Android VPNs.
- The services allegedly exposed themselves by leaving user databases online and without password protection.
- One of the three VPN services that are included in the pack comes with well-documented risks.
A large collection of 21 million user records has appeared on a hacker forum and is available for purchase. The seller alleges that the data comes from a breach on three VPN services that are very popular in the Android world, namely SuperVPN, GeckoVPN, and ChatVPN. At the time of writing this, there has been neither a confirmation nor a debunking of the alleged breach, so we can’t tell if the seller's claims are valid or not. However, the data appears to be real.
The seller has categorized the data in three archives, which contain the following user details:
- Email addresses
- Full names
- Country names
- Randomly generated password strings
- Payment-related data
- Premium member status and its expiration date
- Device serial numbers
- Phone types and manufacturers
- Device IDs
- Device IMSI numbers
Even logging the above details is a good reason to avoid using these VPN vendors entirely if, of course, the data is proven to belong to their userbases. The seller claims that the data was actually left exposed on unsecured databases, which were left to their default configuration and not properly secured with a password. If this is true, the particular VPN service providers have given another example of why they can’t be trusted.
Among the three, ChatVPN is a fairly small entity, GeckoVPN has a respectable 10 million installations, and SuperVPN has a mind-blowing 100 million users. A year ago, we discussed why SuperVPN is so unsafe that it shouldn’t even be available on the Play Store, yet it remains there to this day. In that post, we presented MITM risks, lack of strong encryption, and several privacy flaws. Also, the product’s developers are based in China, so the reasons behind the existence of security gaps are ambiguous.
Even if the data that’s available for purchase is proven not to belong to the three VPN apps mentioned above, we would still suggest that you avoid using free VPN services and just pick something truly reliable and trustworthy. If you’re looking for examples of that, check out our list with the seven best VPNs for the Android platform in 2021.