A hot deal turned sour after a hacker successfully stole details of more than 21 million free mobile VPN users. Remember, a VPN is meant to create a layer of security and protect you from falling into a cyber-security nightmare. But in this case, the providers illegally logged on their users’ information and reportedly exposed it to the wrong hands.
The data that was advertised for sale last week by the hacker included email addresses, passwords, devices’ IDs, and payment details stored at the servers of three VPN service providers including ChatVPN, SuperVPN, and GeckoVPN.
This is the most recent privacy downside against the VPN arena. It follows an incident in late 2020 where popular VPN users were advised to countercheck their security details after multiple VPN service providers were found to have exposed their users’ data.
Recent research discovered an unprotected database with over 1.2TB of user information belonging to seven different VPN providers, despite their claim of not logging their user data. The VPN providers on this list included UFO VPN, Rabbit VPN, FAST VPN, Flash VPN, Free VPN, Secure VPN, and Super VPN.
Users feel left alone on online security issues
As this has become the trend, users are continually feeling left out. One of the cyber-security researchers Troy Hunt, through a tweet, termed the whole issue as a mess and emphasized why it is crucial to only employ a trustworthy VPN.
So this is a mess, and a timely reminder of why trust in a VPN provider is so crucial. This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data. https://t.co/xSPUDjbJhb
— Troy Hunt (@troyhunt) February 28, 2021
The most worrying part of this story is that the VPN providers whose data was exfiltrated are among the most popular ones in the market. For instance, super VPN attracts more than 100 million installs, GeckoVPN has more than 1 million installs, and Chat VPN trails with more than 50,000 installs on the Google play store.
Despite the popularity that SuperVPN enjoys, it’s also the worst reviewed android VPN service provider. In May last year, one of the reviewers at TechRadarpro discovered many vulnerabilities within the tool. The only thing the reviewer had to say was that Super VPN contained “worthless Privacy Policies.” He continued to say that the provider’s privacy policy was just flagged from other providers’ policies and why it even contradicts itself.
In less than a year later, the tool is again in the spotlight with its massive user information leak scandle. This one even reminds us to question the types of user information that the app is collecting.
Getting back to the hacker who stole the information from the three VPN providers, the user data that was placed for sale included email addresses, resident countries, users’ full names, online banking, and payment details. The database also boasts passwords, users’ premium status along with their dates of expiry.
Following the news, the Privacy Savvy security team discovered that the exposed data also included the device serial numbers, device IMSI numbers, device type, and its manufacturer. This data was taken from explicitly available databases due to the VPN developers leaving the database insecure.
Dangers of using VPN providers that log your data
If the data that the hacker has put on offer is correct, then clearly free VPN tools are collecting more user data than what they state in their privacy policies.
The other bitter truth to ponder is that hackers can more likely even access the servers of free VPNs. Theoretically, we use a VPN to encrypt our online traffic. It helps protect our privacy from hackers and other third parties’ prying eyes, including and not limited to ISPs and government agencies.
That is why users are advised to go with a trusted VPN that does not log their data or collect any other background information. Else, data collected from VPNs that log their user information can easily be used against the users. And as this user data leak has demonstrated, users’ data, device information, and stolen credentials can be the awful costs of choosing the wrong VPN provider.