Big Price Paid for Using Free VPN
The case of seven free virtual private networks (VPN) created by a Hong Kong-based developer were found leaking the personal data of over 20 million users as their server was found to be completely open and accessible to third parties.
According to a report by Comparitech, at least 894 GB of data containing one of the VPN providers’ user logs and API access records — including account passwords, VPN session secrets and tokens, IP addresses, connection timestamps, geo-tags and device and OS characteristics — was stored in an unsecured Elasticsearch cluster. The VPN provider, UFO VPN, reportedly denied the claim saying the data in question was anonymous.
A VPN is meant to hide a lot of information that can put your privacy at risk. It uses encryption to mix up your data, including the internet protocol (IP) address assigned to you by your internet service provider (ISP), when sent over a Wi-Fi network. This is to make it impossible for your online activity to be traced while you get the freedom you need online to access whatever app or website you want.
However, that seems not the case for Hong Kong’s UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN — they reportedly share the same developer going by given commonalities and likely ‘white-labeled’ apps created by one entity but rebranded under multiple names. Their systems were breached and the lapse is having and will still have several impacts on both the VPN providers and their users.
Aside from the VPN providers losing a big chunk of their users who may now feel betrayed and lack further trust in the provider’s ability to provide a secure service going forward, the leak can give malicious hackers and cybercriminals a field day to launch phishing campaigns which could devastate users if successful.
From sending fake emails to users whose data were exposed to imitating a real business to trick targets into providing sensitive data like credit card details, or manipulating their exposed Paypal or Bitcoin accounts to steal from them or infecting targets with malicious software like ransomware, the criminal options abound.
Other nefarious activities that could be explored as a result of the exposed data of those who sought a cover for their online activities via these VPNs include blackmail, extortion, threats as well as setting in motion scenarios that will be quite embarrassing to friends, family members, law enforcement agencies (where there are repressive regimes) and others. Some of the consequences could lead to arrests, persecution or even prosecution depending on the location and the prevalent cultural, religious and customary beliefs at play.
Lessons We have Learnt
To forestall a situation like this and protect users’ data from being exposed unnecessarily, below are some of the lessons learnt from this seven compromised VPNs’ experience:
- VPN providers ought not to leave their servers completely open and accessible on the internet to avoid a breach.
- If and when that happens, there is a need to have put modalities in place so as to be able to act swiftly with key stakeholders to ensure the security of any exposed data. This would require researching potential security vulnerabilities ahead for exploits, attack vectors, leaks etc.
- Providers need to quickly protect any unsecure server that could have information that ought not to be recorded or logged.
- To not collect and store users’ personal information — or at least encrypted at a high level — including home addresses, email addresses, passwords, failed login attempts etc. As reported in the recent case, the leak exposed Personally Identifiable Information (PII) data that include users’ full names, their home or work addresses, origins of their IP addresses and the IP address of the VPN server they connected to as well as their VPN account login credentials.
- To not expose the VPN server that users are connected to as well as its region and IP address so as not to make the affected VPN service useless. Since the user’s origin IP address can be connected to their activity on the target server, sensitive information like Paypal API links could be easily accessed. As those who use cryptocurrencies like Bitcoin were also reportedly recorded in logs, they could be identified by their registered email addresses and other identifiers exposed in the leak.
At Incognito, we follow strict privacy standards and put our users data safe as first priority.
Incognito: a fast and secure VPN with data control and ad-block functions to make sure you can stay incognito and worry-free whenever, wherever you want to be.
Check out on www.incognitonetwork.com
