‘no-logs’ VPN services inclusive of UFO VPN, Rabbit VPN, leaked users data and logs over 1.2TB
Hong Kong based Virtual Private Network service provider UFO VPN and six other VPN services has leaked users data over and logs. Found by Comparitech UFO VPN had made a database and API records publicly available without any form of Authentication which exposed 20 million logs per day. The database went public and indexed by shodan.io on June 27, 2020 and found by Comparitech researcher Diachenko on 1 July and he notified UFO on the same day and it took 2 weeks for UFO to secure the database. The database leaked almost 894GB which UFO said it was anonymous which the data doesn’t appear to be.
According to Comparitech the leaked data included
- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
According to vpnMentor along with UFO VPN six other services FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN shared same elasticsearch instance and almost all these apps share a comman developer for white label companies.