Remember how hundreds of thousands of Kashmiris were using Virtual Private Network (VPN) applications to access blocked websites months after the government suspended internet in Jammu and Kashmir last year.
Well, according to a report by vpnMentor, most of these VPN apps were insecure and the personal data of millions of users who installed them on their phones has been leaked.
The user data of seven Hong Kong based VPN providers has been leaked online. The VPN apps include UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN–most of which were used in Kashmir during the internet blockade.
These services claim to have as many as 20 million users around the world. Researchers have discovered that the data of potentially all of these 20 million users has been leaked online, totalling up to as much as 1.2TB worth of data.
A vpnMentor research team, led by Noam Rotem, a well-known white hat hacker and activist, uncovered the server and found Personally Identifiable Information (PII) data collected by these VPN apps has been leaked online. Interestingly enough, these VPN services claim to offer “no-log” VPNs, which would suggest they don’t keep records of any user activity on their network. At least that seems to be their big selling point. This revelation comes just days after security researcher Bob Diachenko revealed that as many as 894GB worth of records in an unsecured Elasticsearch cluster that belonged to UFO VPN were easily available for unauthorized access.
It turns out that some of the VPN apps are incredibly popular too, with very good ratings on the Google Play Store and the Apple App Store. Super VPN developed by Hong Kong based Nownetmobi has a rating of 4.6 stars on the Google Play Store and 4.9 stars on the Apple App Store. UFO VPN developed by Hong Kong based Dreamfii HK Limited has clocked 4.5 stars on the Google Play Store and 4.8 stars on the Apple App Store.
The vpnMentor research team say they have reached out to all the VPN app developers who are listed here and also the Hong Kong’s Computer Emergency Response Team (HKCERT) with the details.