Seven different VPN service providers collected and logged user information, contrary to their "no logging" policies, and left more than 1TB of user data belonging to as many as 20 million users unprotected on an open cloud server for anyone to find.
The exposed data included usernames, plaintext passwords, connection logs and website-visit histories.
The not-so-magnificent seven -- Fast VPN, Flash VPN, Free VPN, Rabbit VPN, Secure VPN, Super VPN and UFO VPN -- seem to be owned by the same company or to use the same third-party "white label" VPN infrastructure. The websites for all the services except UFO VPN are strikingly similar. All seem to be based in Hong Kong.
Last week, widely used VPN providers Private Internet Access and TunnelBear announced that they were shutting down their operations in Hong Kong due to a new law that gives Chinese authorities more power to spy on internet users and seize servers.
What to do if you use one of these VPNs
When you sign up for a virtual private network (VPN) service, especially one that claims to not log any of your usage data, you expect it to keep your information private. That doesn't seem to be what's happening here.
If you use any of these VPNs, we recommend you change your password for the service immediately, and change the same password on any other account for which you used it.
You should also stop using that VPN immediately and consider asking your VPN provider some tough questions. Tom's Guide has reached out to Dreamfii HK, parent company of UFO VPN, for comment, and we will update this story when we receive a response.
Unearthing a trove of data
Two different teams of security researchers found this user data online. First was Bob Diachenko of Comparitech, who discovered the server holding 894GB of UFO VPN data on July 1. Four days later, a team from VPNMentor found the same server and noticed that data from the other six VPNs was also included.
In total, more than a billion records comprising 1.2TB of data were exposed, including usernames, plaintext passwords, email addresses, home addresses, IP addresses, Bitcoin data, PayPal payment data, connection logs, session tokens, location information, customer complaint logs and website-visit histories.
"This lack of basic security measures in an essential part of a cybersecurity product is not just shocking," said the VPNMentor report. "It also shows a total disregard for standard VPN practices that put their users at risk."
How exposed VPN data puts users at risk
The VPNMentor team created an account with UFO VPN — and watched in real-time as their account's private personal information came into public view.
Logs showed that some users were accessing these VPNs from countries where VPN use is illegal, including Iran. The exposed database may have put those users in physical jeopardy.
Cybercriminals could have used the exposed usernames and passwords to hijack VPN accounts or mount credential-stuffing attacks on other services in the assumption that many users would have reused passwords.
As in most cases of exposed databases such as these, there's no evidence that anyone other than computer researchers accessed this data. However, because this particular server was indexed by the Shodan search engine on June 27, that meant it was listed as being accessible for more than two weeks.
The VPNMentor team tried contacting the VPN providers immediately, but got few responses. A few days later, VPNMentor reached out to Hong Kong's computer-emergency response team (CERT), but was told that this was not a Hong Kong problem. Finally, on July 15, the database on the server was secured.
"Due to personnel changes caused by COVID-19, we've not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked," UFO VPN said in matching statements to Diachenko and VPNMentor. "And now it has been fixed."
Of the seven compromised services, only UFO VPN seems to offer client software for personal computers as well as mobile devices. Another one, Super VPN, is mobile-only but like UFO VPN offers both free and paid plans.
The other five appear to be mobile-only and entirely free: Rabbit VPN, Secure VPN, Flash VPN, Free VPN, and Fast VPN.
Free mobile-only VPN providers are notorious for security holes, and we at Tom's Guide recommend that you not use any entirely free VPN providers. As the old adage goes, if you're not paying for the service, then you're the product.