Seven VPN services that claim to never log user traffic have been found doing just that—and they leak that information on the internet, according to security researchers at vpnMentor.
Earlier this month, vpnMentor discovered a single open server that contained user information belonging to seven different VPN services based in Hong Kong, including UFO VPN, Fast VPN, and Free VPN.
In total, the server contained 1.2TB of data, including names, user passwords, email addresses, and home addresses for various customers. But the real alarming find was the stored activity logs, which can reveal which sites customers are visiting, and through which user IDs, IP addresses, and devices.
The incident is pretty stunning, considering that many people who subscribe to VPNs do so to protect their privacy. However, the exposed server essentially gave anyone an easy way to monitor the activities on up to 20 million users.
Each of the affected providers also claim to offer “no-log” VPN services, meaning detailed user traffic is supposedly never recorded. However, the exposed server indicates this was far from the truth. “In some cases, illicit sites were accessed from countries where viewing such content is an illegal and punishable activity,” vpnMentor said.
According to the research, the exposed server appears to belong to one main company, which is then running the seven VPN services under different brand names. VpnMentor reached out to the affected providers on July 5, but it wasn’t until July 15 when the exposed server was finally secured.
UFO VPN told the researchers: “Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.” In the same statement, UFO VPN said all information on the server was “anonymous,” and merely used for analyzing users’ network performance.
VpnMentor says that’s false. To verify their findings, researchers tried out the UFO VPN app, and noticed their user activity logs popped up on the exposed server in real time. “Furthermore, we could clearly see the username and password we used to register our account, stored in the logs as cleartext,” they added.
The incident underscores how some VPN providers can be pretty scammy. “Lesson: Commercial VPN services lie. A lot,” tweeted security researcher Kenneth White.
If you subscribe to UFO VPN or to the six other providers, we recommend you find a better alternative. Some VPN providers have also gone out of their way to go through a security audit to prove they have a no-logging policy in place. Others are banding together on a “trust initiative” to help ensure the VPN industry is using the best practices on security and privacy.