Seven 'Zero Logging' VPN Providers Accused Of Leaking User Data Over The Web
The internet is a place where it's difficult to trust anything that anyone says. A recent case of more than a handful of VPN providers who claim to keep no logs of their user's activity, yet leaked activity logs, highlights that you can't trust anyone online. As it turns out, the seven VPN providers were logging user activity, and those logs have now leaked onto the internet. The first logs discovered were from a company called UFO VPN.
UFO VPN had an unsecured Elasticsearch cluster that left the log files facing the public internet for anyone to discover. The logs were found by Bob Diachenko from a company called Comparitech. The records contained copious amounts of data on UFO VPN users, including what appeared to be plain text passwords, VPN session secrets and tokens, IP addresses of user devices, and VPN servers they connected to. The data also included timestamps, location information, device characteristics, and OS versions of free-tier users that saw ads.
Things got worse a few days later when the same unsecured data was discovered by a team led by Noam Rotem at VPNmentor. That team found that seven different VPN providers based in Hong Kong, including UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, all shared a common entity providing white-label VPN service.
All of those companies were leaking data from the same unsecured Elastisearch cluster. In total, 1.2 TB of data was sitting in the open representing over a billion total log entries. Many of the entries appeared to contain highly sensitive information, including usernames, emails, and home addresses. Bitcoin and PayPal payment information was also leaked.
UFO VPN claimed the logs were kept for traffic-performance monitoring only and that the data was anonymized. Keeping records for performance monitoring goes against its bolded claim of keeping no logs. Both Comparitech and VPNmentor disagree with UFO VPN's claims. VPNmentor went so far as to say that it didn't believe the data was anonymized.
These companies are certainly not the first VPN providers that had a problem with security. Late in 2019, one of the most popular VPN providers, called NordVPN, admitted that it had been hacked. However, it said the server accessed didn't contain any user activity or information on usernames and passwords.