This free VPN exposed 25 million user records — how to stay safe

VPN app on a smartphone
(Image credit: Shutterstock)

A free VPN app with more than 50,000 downloads on the Google Play store left a database containing 18.5GB of connection logs exposed on the internet for anyone to find.

According to Cybernews, which made the discovery, the exposed database belongs to BeanVPN and contained more than 25 million records including user device and Play Service IDs, IP addresses, connection timestamps and other diagnostic information.

While the ElasticSearch instance has since been secured, Cybernews security researcher Aras Nazarovas explained in a blog post what cybercriminals could do with the information it contained.

"The information found in this database could be used to de-anonymize BeanVPN's users and find their approximate location using geo-IP databases," Nazarovas wrote. "The Play Service ID could also be used to find out the user's email address that they are signed in to their device with." 

Violating its own privacy policy

BeanVPN is developed by a company called IMSOFT which explains in its privacy policy that it doesn’t store connection logs and timestamps, IP addresses and other diagnostic information.

While IMSOFT appears to have violated its own privacy policy in this regard, the company also emphasized that it protects user data with “best-in-class physical, procedural and technical security” at its offices and information storage facilities. As Cybernews notes though, publicly available information suggests that its only office is located in an apartment building in Bucharest, Romania.

Although privacy policies can often tell you quite a bit about a VPN company, it’s up to the businesses themselves to adhere to them.

Exposed databases continue to put consumers at risk

An exposed database

(Image credit: Shutterstock)

Exposed databases are a recurring problem for VPN companies and tech giants alike as they can be accessed by anyone who finds one online since such databases aren’t password protected.

Back in March 2021, Cybernews discovered three databases leaked by SuperVPN, GeckoVPN and ChatVPN which contained the data of 21 million people. Email addresses, passwords, full names, country information and payment details from these databases were then sold on the dark web. Additionally, in May of this year, Cybernews found an unsecured database belonging to UK law enforcement agencies that contained information on millions of vehicles. 

Unlike cyberattacks where hackers exploit vulnerabilities or other weaknesses to gain access to sensitive data, with an exposed database the businesses who collected the data in the first place are the ones responsible as they failed to store it securely. We all use passwords on our smartphones and laptops, so why aren’t companies doing the same with their databases? Besides losing customers over data privacy concerns, businesses that fail to secure their databases can also be fined by regulators.

Why opting for a paid VPN is your best bet

Saving a bit of cash by choosing a free VPN over a paid one may seem like a good idea at first until you consider the limitations. Most free VPNs come with some kind of a catch in the form of data limits, speed restrictions, fewer servers or less features. 

If you just want a bit of extra privacy for certain tasks, then a free VPN may be worth your while. However, not all free VPNs are cut from the same cloth. Even if a free VPN app has a lot of downloads on the Google Play Store or Apple App Store, it may be selling your data or putting you at risk in other ways. This is why we’ve put together a list of the best free VPNs from reputable companies that are actually worth using.

Still though, signing up for a paid VPN will always be the better option as you’ll have access to more features with no restrictions alongside regular updates and customer support you can contact if you run into any connection problems. Another possible option worth considering is signing up for one of the picks from our list of the best antivirus software as many antivirus makers throw in access to a VPN as an extra. In fact, both Norton 360 Deluxe and Trend Micro Maximum Security both include unlimited VPN access. This way you can secure devices against malware and other cyber threats while protecting your privacy with a VPN.

If you already have a security suite on your devices and just want a reliable VPN, then ExpressVPN, NordVPN and Surfshark are currently our top picks.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.