Security

Several Hong Kong-Based VPN Apps Exposed Their Private User Data Online

By Bill Toulas
  • Seven Hong Kong-based VPN products have been proven to be recording massive amounts of user data.
  • The products have been storing this data on an unprotected Elasticsearch instance in a common server.
  • The data is very revealing, including names, emails, passwords, IP addresses, home addresses, and more.

A group of seven VPN products that are supposedly “no-log” services has exposed 20 million users by leaving a server unprotected online. All seven of the products come from the same Hong Kong-based developer, Dreamfii HK Limited, which is the reason why they were using the same Elasticsearch server.

The exposed VPNs are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. The number of files that were online exceeded a billion and the total data size was about 1.2 TB.

https://twitter.com/MayhemDayOne/status/1283413586279366661

The compromised user data includes the following:

  • Internet activity logs
  • Names
  • Email addresses
  • Passwords in plain text form
  • IP addresses
  • Home addresses
  • Smartphone device models and IDs

ufo-vpn-exposure
Source: Comparitech Blog

For “no-log” VPNs, this is way too much data to be collected, so these products’ marketing promises are straight out false. The exposed users are now running the risk of getting scammed, extorted, phished, or even arrested and prosecuted if they accessed websites that are banned in their home countries.

These apps enjoyed very good user rating scores on the Apple App Store and the Google Play Store, so they were trusted by millions of people. The fact that they’re free, though, should be enough for the users to expect issues when it comes to these products’ privacy and security.

Both Ran Locar and Bob Diachenko, who independently located the unsecured instance, have informed the owners of the VPN services about the security issue, but they were unresponsive. The date of discovery and notification is July 5, 2020, and the live server was not closed until ten whole days had passed. This is indicative of a VPN company that doesn’t care and comes as a topping on the cake of insecurity and bad practices followed across the board.

These VPN products will lose some users due to this incident, but the news won’t reach everyone, and free products are always a good lure for new users in the future.

As we have explained before, the only way to be certain about the validity of a VPN product’s “no logs” policy is to trust audits carried out by independent firms. For example, NordVPN has recently passed an audit of this kind, and PureVPN did the same last year. These are trustworthy products not because they make reassuring claims on their respective websites, but because they paid an auditing firm to thoroughly investigate their claims and confirm them as truthful.

Read More:

Add a Comment

Latest
Sports
Euro 2024 Qualifiers Live Stream: How to Watch International Soccer Online from Anywhere
Sachin Sharma - 0
The road to Euro 2024 is about to get underway, and Europe’s leading soccer stars will be battling it out to qualify...
Read more
Streaming
How to Watch Redemption Online for Free: Stream the Paula Malcomson Series from Anywhere
Lore Apostol - 0
Redemption is an upcoming British drama TV series featuring Paula Malcomson. You will find below all the information you may need, including...
Read more
Streaming
How to Watch The Real Murders of Atlanta Season 2 Online from Anywhere
Lore Apostol - 0
The Real Murders of Atlanta is back with a new set of episodes in Season 2, and we have the premiere date,...
Read more

© TechNadu 2023. All Rights Reserved.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari