Info-tech

More than 1.2 TB of data from users of 7 VPN apps in Hong Kong exposed online: Report

Hemani Sheth | Updated on July 20, 2020 Published on July 20, 2020

The data base has now been secured after a group of free VPN apps left their server open and accessible

User data from seven Hong-Kong based Virtual Private Network (VPN) apps was exposed online due to lack of server-side security measures, according to a report by vpnMentor.

“A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see,” the report said.

“The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs,” it said.

The data exposed online amounted to 1.207 TB. Data exposed included “activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info and direct Paypal API links.”

The impacted VPN apps are — UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN. All of these apps were hosted on ElasticSearch Server.

“Each of these VPNs claims that their services are ‘no-log’ VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server,” the report said.

According to the report, the apps likely belong to the same developer as they share a common server and are hosted on the same assets. The apps also have the same client for receiving payments — Dreamfii HK Limited.

Since the developers of these apps are headquartered in Hong Kong, the team had alerted HK’s Computer Emergency Response Team (HKCERT) office.

The database had been secured on July 15, 10 days after they had initially reached out to the developers.

Follow us on Telegram, Facebook, Twitter, Instagram, YouTube and Linkedin. You can also download our Android App or IOS App.

Published on July 20, 2020
  1. Comments will be moderated by The Hindu Business Line editorial team.
  2. Comments that are abusive, personal, incendiary or irrelevant cannot be published.
  3. Please write complete sentences. Do not type comments in all capital letters, or in all lower case letters, or using abbreviated text. (example: u cannot substitute for you, d is not 'the', n is not 'and').
  4. We may remove hyperlinks within comments.
  5. Please use a genuine email ID and provide your name, to avoid rejection.