Hong Kong VPN Providers Accused of Massive User Private Data Breach

Yolanda Curtis
August 2, 2020

Until now, around 7 VPN providers have reportedly leaked over 1TB of private user information, without any password or authentication, according to a new report. Such VPN applications are still available in the Play Store as of now, and only Rabbit VPN has been dropped.

Kicking it off, Comparitech's Bob Diachenko recently discovered 894 GB worth of of user data in an unsecured Elasticsearch cluster belonging to UFO VPN, a provider whose privacy policy informs users that they aren't tracked as they travel around the internet. The kind of user data UFO VPN leaked included plain text passwords, VPN session secrets, IP addresses, connection timestamps, geo-tags, and device and OS characteristics. The Comparitech report states that data of almost 20 million users (both free and paid) amounting to 894GB was leaked.

When you use a VPN service, you're trusting it with the same data that your internet service provider would typically collect. It also managed that the logs had been only employed for performance checking and were supposedly anonymized. After using it, experts found data about their activity on the detected server. As it stands, the zero-log claim is evidently untrue. Comparitech reportedly alerted the VPN provider and the company took action and fixed the issue after almost two weeks' time. Based off of what data was leaked, connection activities are clearly being captured and stored.

Spokespersons of Fast VPN and UFO VPN blamed the personal changes caused by COVID-19, where they had failed to find out any bugs in the server firewalls, which could have led to being hacked. It was found that these seven Hong Kong VPNs are all owned by the same Hong Kong-based parent company as they share a common server and are hosted on the same assets.

The incident underscores the problems with white label VPN services. It's all too easy for some companies to rebrand services without being held to account for their claims. If you're involved about the privacy of your data, it may possibly be improved to stick to important makes.

Since the developers of these apps are headquartered in Hong Kong, the team had alerted HK's Computer Emergency Response Team (HKCERT) office. Critics of the federal government use VPNs precisely to stay away from China's surveillance and censorship. This increased the leaked data to a total of 1.2 TB.

Over 20 million people worldwide could have been exposed to this leak.

Other reports by iNewsToday