A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.
This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.
It all came to light this week after Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.
The silo contained streams of log entries as netizens connected to UFO’s service: this information included what appeared to be account passwords in plain text, VPN session secrets and tokens, IP addresses of users’ devices and the VPN servers they connected to, connection timestamps, location information, device characteristics and OS versions, and web domains from which ads were injected into the browsers of UFO’s free-tier users.
More than 20 million entries were added a day to the logs, according to Comparitech, and UFO happens to boast on its website it has 20 million users. Diachenko said he alerted the provider to the misconfiguration on July 1, the day he found the unprotected database, and heard nothing back.
Oh, it gets worse
A few days later, on July 5, the data silo was separately discovered by Noam Rotem’s team at VPNmentor, and it became clear the security blunder went well beyond UFO. It appears seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service.
And they were all leaking data onto the internet from that unsecured Elasticsearch cluster, VPNmentor reported. Altogether, some 1.2TB of data was sitting out in the open, totaling 1,083,997,361 log entries, many featuring highly sensitive information, it is said.
This exposed cluster contained, we’re told, at least some records of websites visited, connection logs, people’s names, subscribers’ email and home addresses, plain-text passwords, Bitcoin and Paypal payment information, messages to support desks, device specifications, and account info.
“Each of these VPNs claims that their services are ‘no-log’ VPNs, which means that they don’t record any user activity on their respective apps,” Rotem’s team said. “However, we found multiple instances of internet activity logs on their shared server. This was in addition to the personally identifiable information, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.”