When you use a VPN service, you're trusting it with the same data that your internet service provider would typically collect. That's why it's crucial to properly research any VPNs you use, even if they claim to not collect any logs. Case in point: seven VPN services using the same white-label provider were found leaking a lot of user data.
Comparitech published a report earlier this week saying 'UFO VPN,' a service based in Hong Kong, had an exposed database with 894GB of data. The information included plain-text account passwords, VPN session secrets/tokens, IP addresses of client devices and servers, the operating system being used, and more. The company's website still claims the VPN has a "zero log policy." UFO VPN is available on Android (among other platforms), and has over 10 million installations on the Play Store.
The fun didn't stop there, though. The research team at vpnMentor later discovered that UFO VPN was one of several white-label VPNs sharing a common codebase and infrastructure. FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN were also found to be leaking data, bringing the total to 1.207 TB of private information. Again, all these services have apps on the Play Store, each ranging from 10 thousand to 1 million installs. So far, only Rabbit VPN has been pulled from the store.
All of the VPN services shared a common Elasticsearch server, have the same recipient for payments ("Dreamfii HK Limited"), and three of the services even have nearly-identical websites. We've reached out to Google to ask if the VPN applications will be pulled from the Play Store, but we have not received an answer yet. In the meantime, if you use one of the affected services, it's probably time to start changing passwords.
- The Register