Hide Message

Updating the Resource Centre Digital Platform

The Business & Human Rights Resource Centre is at a critical point in its development. Our digital platform is home to a wealth of information on business and human rights, but hasn’t had a visual refresh for a number of years.

We will soon be updating the site to improve its usability and better serve the thousands of people that use our site to support their work.

Please take an advance peek at our new look, and let us know what you think!

Thank you,
Alex Guy, Digital Officer

Find Out More Hide Message

You are being redirected to the story the piece of content is found in so you can read it in context. Please click the following link if you are not automatically redirected within a couple seconds:
en/hong-kong-seven-free-vpns-allegedly-leave-users-logs-and-personal-details-open-for-all-to-see-report-reveals#c212542

Hong Kong: Server shared by several VPNs accused of being "completely open and accessible" and exposing private user data

Author: The Sydney Morning Herald, Published on: 20 July 2020

“Data breach of free VPN providers exposes details of millions of users”, 20 July 2020

… vpnMentor cybersecurity researchers claim they found an unsecured server shared by several VPNs, software designed to protect users, and say it could potentially affect more than 20 million users.

In a report provided to Nine News, the researchers say the server was "completely open and accessible, exposing private user data for everyone to see".

It claims the affected apps include UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN.

Lead researcher Noam Rotem said his team found entries within the exposed database that contained personal details about users, such as email addresses, home addresses, clear text passwords, IP addresses and other identifying information…

It appears the apps on the exposed server share a common Hong Kong-based owner and developer.

Spokespeople for UFO VPN and Fast VPN issued nearly identical statements in response to questions about the breach: "Due to personnel changes caused by COVID-19, we've not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed".

The companies also claimed they didn't collect all the types of data that the researchers say they found.

Mobipotato – the company representing FastVPN – confirmed the server was at risk from June 29 to July 13.

The other companies did not respond to requests for comment, and the contact email provided for RabbitVPN bounced back…

Read the full post here