A group of free VPN apps have reportedly uncovered a treasure trove of millions of users' private data. Discovered by vpnMentor, a total of seven VPN providers, all of which expressly claimed that they had not recorded their users' activities, left more than one terabyte of browser logs open to everyone.
The leaked data silo contained a variety of sensitive data, some of which was also personally identifiable. VpnMentor claims it contained records of websites visited, plain text passwords, PayPal payment information, device specifications, email addresses, and more.
While the data has since been deleted, vpnMentor has been able to independently confirm that the data has been channeled by these VPN apps by searching new accounts and matching them with the updated database.
In addition, all affected VPN apps belong to the same parent company based in Hong Kong and were simply renamed to versions of the same VPN service. They have been distributed under various generic names such as Super VPN, Fast VPN, Flash VPN and more – a pattern that often occurs with such data leak incidents. Most of them had more than 10 million downloads on the Google Play Store and iOS App Store and their entries have not yet been accessed.
We have contacted Google and Apple for more information, and we will update the story as soon as we learn about it.
A spokesman for UFO VPN argued that the database contained no personal information and that the corona virus prevented its employees from securing the server. The email addresses came from users who sent them feedback and who made up less than one percent of the total data.
“Due to personnel changes caused by COVID-19, we didn't immediately find bugs in the server firewall rules that could pose a potential risk to hackers. And now it has been fixed, ”the spokesman told vpnMentor.
VPN apps can monitor your internet traffic. It is therefore important to ensure that the app you have installed has a secure infrastructure. If you've used any of these affected apps, here are some alternatives you can try.