“Data breach of free VPN providers exposes details of millions of users”, 20 July 2020

… vpnMentor cybersecurity researchers claim they found an unsecured server shared by several VPNs, software designed to protect users, and say it could potentially affect more than 20 million users.

In a report provided to Nine News, the researchers say the server was "completely open and accessible, exposing private user data for everyone to see".

It claims the affected apps include UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN.

Lead researcher Noam Rotem said his team found entries within the exposed database that contained personal details about users, such as email addresses, home addresses, clear text passwords, IP addresses and other identifying information…

It appears the apps on the exposed server share a common Hong Kong-based owner and developer.

Spokespeople for UFO VPN and Fast VPN issued nearly identical statements in response to questions about the breach: "Due to personnel changes caused by COVID-19, we've not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed".

The companies also claimed they didn't collect all the types of data that the researchers say they found.

Mobipotato – the company representing FastVPN – confirmed the server was at risk from June 29 to July 13.

The other companies did not respond to requests for comment, and the contact email provided for RabbitVPN bounced back…