The personal details of millions of people may have been exposed by the unsecured servers used by a variety of free VPN programs, according to new research from VPNMentor. The VPNs affected by the problem include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, all of which are apparently connected by a common app developer. According to VPNMentor, the lack of security potentially affected more than 20 million users.
Virtual private networks (VPNs) are meant to keep your identity more secretive and your browsing history more secure. But free VPN options have long been known to compromise user data in exchange for cheap anonymity. Unless a company is very reputable, you never really know whether your data is being routed in a secure manner.
Despite the known security risks associated with using free VPNs, many companies still thrive with them as their main product. But to use a VPN is to trust a program with handling every byte of your internet traffic — and maybe more than that if it’s not secure enough. The lesson here is simple, but it bears repeating: free VPNs are dangerous, and it’s best to stay away from them entirely, for the most part.
Everything exposed — The full extent of who’s seen the exposed information is not known, but researchers have found evidence that the servers in question could have exposed basically every bit of personal information stored by the VPN services. Usernames and passwords are only the beginning of the leak.
Researchers found entries within the exposed database with information including:
- Connection logs, traffic, and sites visited
- Origin IP addresses
- Internet Service Provider (ISP)
- Actual location
- Device type
- Device ID
- App version
- Phone models
- User network connection
Researchers were also able to view payment details — such as PayPal accounts and cryptocurrency logins — for users who had subscribed to premium services.
The database also included explicit information about the VPN server addresses being utilized by users of the program alongside the user’s origin IP address. This renders the VPN’s anonymity essentially useless, as it connects users with their respective activity on the VPN server.
What the companies say — Though the affected VPN programs seem to operate independently, they’re all linked by a common Hong Kong-based owner and developer. And, unsurprisingly, they’re keeping pretty tight-lipped about the exposed servers.
Spokespeople for UFO VPN and Fast VPN issued near-identical statements in response to questions about the servers:
“Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.”
The statements state that all information on the VPN servers is anonymized and that the affected servers were only at-risk between June 29 and July 13. Researchers found this to be a blatant lie — none of the data was anonymous, and the servers were still open and live after July 13. They reached out with further information and never received a reply.
You never can be too safe — VPNs, once used only by the most tech-savvy of internet users, are more popular than ever, thanks to just how easy they are to come by. But many companies are looking to capitalize upon that market trend without actually providing the necessary security to keep their users safe.
As a general rule, it’s best to stay away from any free VPN offerings if you value your privacy. And whether the service is free or paid, it’s important to research how reputable the company is before utilizing its services. Otherwise, you’re liable to find yourself with lots of exposed data in exchange for that supposedly anonymized browsing experience.