User data from seven Hong-Kong based Virtual Private Network (VPN) apps was exposed online due to lack of server-side security measures, according to a report by vpnMentor.

“A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see,” the report said.

“The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs,” it said.

The data exposed online amounted to 1.207 TB. Data exposed included “activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info and direct Paypal API links.”

The impacted VPN apps are — UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN. All of these apps were hosted on ElasticSearch Server.

“Each of these VPNs claims that their services are ‘no-log’ VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server,” the report said.

According to the report, the apps likely belong to the same developer as they share a common server and are hosted on the same assets. The apps also have the same client for receiving payments — Dreamfii HK Limited.

Since the developers of these apps are headquartered in Hong Kong, the team had alerted HK’s Computer Emergency Response Team (HKCERT) office.

The database had been secured on July 15, 10 days after they had initially reached out to the developers.

comment COMMENT NOW