CATEGORIES
home News

Seven 'Zero Logging' VPN Providers Accused Of Leaking User Data Over The Web

by Shane McGlaunMonday, July 20, 2020, 01:51 PM EDT
vpn world

The internet is a place where it's difficult to trust anything that anyone says. A recent case of more than a handful of VPN providers who claim to keep no logs of their user's activity, yet leaked activity logs, highlights that you can't trust anyone online. As it turns out, the seven VPN providers were logging user activity, and those logs have now leaked onto the internet. The first logs discovered were from a company called UFO VPN.

UFO VPN had an unsecured Elasticsearch cluster that left the log files facing the public internet for anyone to discover. The logs were found by Bob Diachenko from a company called Comparitech. The records contained copious amounts of data on UFO VPN users, including what appeared to be plain text passwords, VPN session secrets and tokens, IP addresses of user devices, and VPN servers they connected to. The data also included timestamps, location information, device characteristics, and OS versions of free-tier users that saw ads.

Adding insult to injury, UFO VPN had a privacy policy that literally stated in bold it didn't track user activities outside of its site or web browsing connection activities of users of its service. The user logs discovered in the unprotected server showed that it was at least logging connections to the service. When notified that the database was unprotected, Diachenko said he never heard back from UFO VPN.

Things got worse a few days later when the same unsecured data was discovered by a team led by Noam Rotem at VPNmentor. That team found that seven different VPN providers based in Hong Kong, including UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, all shared a common entity providing white-label VPN service.

All of those companies were leaking data from the same unsecured Elastisearch cluster. In total, 1.2 TB of data was sitting in the open representing over a billion total log entries. Many of the entries appeared to contain highly sensitive information, including usernames, emails, and home addresses. Bitcoin and PayPal payment information was also leaked.

UFO VPN claimed the logs were kept for traffic-performance monitoring only and that the data was anonymized. Keeping records for performance monitoring goes against its bolded claim of keeping no logs. Both Comparitech and VPNmentor disagree with UFO VPN's claims. VPNmentor went so far as to say that it didn't believe the data was anonymized.

These companies are certainly not the first VPN providers that had a problem with security. Late in 2019, one of the most popular VPN providers, called NordVPN, admitted that it had been hacked. However, it said the server accessed didn't contain any user activity or information on usernames and passwords.

Tags:  security, data breach, VPN
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment