A free VPN app with more than 50,000 downloads on the Google Play store left a database containing 18.5GB of connection logs exposed on the internet for anyone to find.
According to Cybernews, which made the discovery, the exposed database belongs to BeanVPN and contained more than 25 million records including user device and Play Service IDs, IP addresses, connection timestamps and other diagnostic information.
While the ElasticSearch instance has since been secured, Cybernews security researcher Aras Nazarovas explained in a blog post (opens in new tab) what cybercriminals could do with the information it contained.
"The information found in this database could be used to de-anonymize BeanVPN's users and find their approximate location using geo-IP databases," Nazarovas wrote. "The Play Service ID could also be used to find out the user's email address that they are signed in to their device with."
Although privacy policies can often tell you quite a bit about a VPN company, it’s up to the businesses themselves to adhere to them.
Exposed databases continue to put consumers at risk
Exposed databases are a recurring problem for VPN companies and tech giants alike as they can be accessed by anyone who finds one online since such databases aren’t password protected.
Back in March 2021, Cybernews discovered three databases leaked by SuperVPN, GeckoVPN and ChatVPN which contained the data of 21 million people. Email addresses, passwords, full names, country information and payment details from these databases were then sold on the dark web. Additionally, in May of this year, Cybernews found an unsecured database belonging to UK law enforcement agencies that contained information on millions of vehicles.
Unlike cyberattacks where hackers exploit vulnerabilities or other weaknesses to gain access to sensitive data, with an exposed database the businesses who collected the data in the first place are the ones responsible as they failed to store it securely. We all use passwords on our smartphones and laptops, so why aren’t companies doing the same with their databases? Besides losing customers over data privacy concerns, businesses that fail to secure their databases can also be fined by regulators.
Why opting for a paid VPN is your best bet
Saving a bit of cash by choosing a free VPN over a paid one may seem like a good idea at first until you consider the limitations. Most free VPNs come with some kind of a catch in the form of data limits, speed restrictions, fewer servers or less features.
If you just want a bit of extra privacy for certain tasks, then a free VPN may be worth your while. However, not all free VPNs are cut from the same cloth. Even if a free VPN app has a lot of downloads on the Google Play Store or Apple App Store, it may be selling your data or putting you at risk in other ways. This is why we’ve put together a list of the best free VPNs from reputable companies that are actually worth using.
Still though, signing up for a paid VPN will always be the better option as you’ll have access to more features with no restrictions alongside regular updates and customer support you can contact if you run into any connection problems. Another possible option worth considering is signing up for one of the picks from our list of the best antivirus software as many antivirus makers throw in access to a VPN as an extra. In fact, both Norton 360 Deluxe and Trend Micro Maximum Security both include unlimited VPN access. This way you can secure devices against malware and other cyber threats while protecting your privacy with a VPN.