Researchers have discovered an unprotected database containing 1.2TB of information about users of seven separate VPN services, all of which claim to collect no user logs.
First identified by researchers at Comparitech, the Elasticsearch cluster was configured in such a way that anyone could access it, and contained user data including login credentials, IP addresses, connection timestamps and more.
It was first thought the data was managed solely by UFO VPN, but a separate team at VPNmentor later discovered that six other providers share the database, as part of a white-labelling arrangement.
Beyond UFO VPN, data relating to users of FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN was also compromised.
TechRadar Pro has requested a comment from UFO VPN, but did not immediately receive a response.
The incident represents unwelcome news for VPN users everywhere, who have little choice but to trust in the privacy promises made by providers. As made clear by the nature of the data held on the exposed server, no-logs policies cannot always be taken at face value.
However, the shared database (containing 1,083,997,361 logs in total) shows that the seven providers in question collect a range of internet activity logs, contrary to data collection policies.
“We found multiple instances of internet activity logs on their shared server,” explained VPNmentor.
“This was in addition to the personally identifiable information, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.”
The current political climate in Hong Kong, where all seven VPN providers are based, adds another layer of jeopardy. With contentious new security laws recently imposed on the city-state by Beijing, many Hong Kong citizens have turned to VPN services in a bid to preserve their online privacy.
However, with local law enforcement granted the power to seize VPN servers without warrant, disingenuous no-log policies have the potential to cause significant harm to users whose web activity could implicate them.
VPN providers are already beginning to flee Hong Kong in response to the new security laws, for fear equipment could be requisitioned by Chinese law enforcement.
To allay concerns about false no-log policies, users should seek out a trusted provider whose service is audited regularly by a third party. Both ExpressVPN and NordVPN, for example, recently underwent no-log audits to ensure privacy standards are upheld.
Via The Register