"Report: No-Log VPNs Exposed Users’ Logs and Personal Details for All to See", 16 July 2020

A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see. This lack of basic security measures in an essential part of a cybersecurity product is not just shocking. It also shows a total disregard for standard VPN practices that put their users at risk.

The vpnMentor research team... uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies...

... we reached out to four of the VPNs and their developers, along with Hong Kong’s Computer Emergency Response Team (HKCERT) office, and, eventually, numerous tech journalists...

Mobipotato responded quickly but seemed unaware of the issues that come with an unsecured server – especially one that contains information they’re not supposed to be recording – and didn’t understand what “PIIs and its affections” are.

We sent two replies to the company twice but received no further communication.

... we attempted contact with numerous people at Dreamfii, the developers of UFO VPN, to no avail...

The journalists we enlisted to help us... eventually received some replies to their inquiries…

… we received the following response from the UFO VPN Team:

“… We do not collect and restore users’ home addresses. In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality...

‘clear text passwords’ are not the password for logging in their accounts… We name it “password” in feedback and store it in cleartext. But for user accounts and logging-in passwords, we have all of them encrypted when transferring and storing.”

However, based on our investigation, we concluded this statement was incorrect and replied with further evidence to back this up...