Share this article on:
A data breach on a free VPN service has led to 360 million records being exposed to the public, according to a new report.
A non-password secured database containing over 360 million records was uncovered by cyber security researcher at vpnMentor, Jeremiah Fowler, who said the records related to a VPN data breach.
360,308,817 records were exposed, totalling 133 gigabytes of data. The types of data exposed included email addresses, original IP addresses, records of servers used, Unique App User ID numbers, UUID numbers, geolocation, device information, VPN version, internet connection type, operating system, refund requests and links to websites that users of the app had visited.
All the information above presents a major security issue, with the internet history of users being some of the most dangerous, providing a database of people to blackmail to any potential threat actor.
Fowler said the records almost all refer to a “SuperVPN”, which on further inspection, is a program that markets itself as a free VPN service.
“There are two (2) apps named SuperVPN available officially on both the Apple and Google application stores. According to the Google app store page, they have a combined 100 million downloads worldwide,” said Fowler.
“Notably, the two apps named SuperVPN are listed under separate developers on both Google Play and Apple’s app store.
“SuperVPN for iOS, iPad, and macOS [is] credited to developers Qingdao Leyou Hudong Network Technology Co., whereas the second app of the same name is developed by SuperSoft Tech.”
Fowler contacted any emails relating to SuperVPN with a responsible disclosure, which resulted in the database being locked from public viewing.
He has concluded that the company behind the SuperVPN in question is Qingdao Leyou Hudong Network Technology Co., despite not hearing back from either company. Both companies had connections to China and database notes were in Chinese.
While it is unknown whether the SuperSoft version is related, concerns with its security were raised in 2020 by journalist Zak Doffman.
Doffman told Forbes that users of SuperVPN should delete it immediately due to security risks that SuperSoft repeatedly failed to patch.
“The issue was a security vulnerability a Chinese developer had repeatedly failed to fix — a vulnerability that exposed users to critical man-in-the-middle attacks,” said Doffman.
“That risk has now been mitigated. But for those with the app — SuperVPN — installed on their phones, you should delete it right away.”
SuperVPN’s connection to China presents immediate security risks, even though the database showed users were outside of the Asian superpower.
Due to the strict regulations on internet usage and information control present in China, the use of a China-based VPN could result in privacy being inhibited.
VPNs are common practice in China, with many of its people looking for ways to get around the nation’s strict internet regulations.
In an effort to combat this, the Chinese government announced in 2017 that all VPN providers must be licensed or be shut down. This led to VPNs being harder to get and less reliable. It also means the Chinese government now monitors VPNs and takes action against citizens who view restricted data.
For individuals outside of China, this still means a user’s data and search activity is being monitored by the Chinese government.
In addition, SuperVPN’s terms of service also raised concerns, with Fowler pointing out that it featured “potentially ambiguous [terms] and broad blanket prohibitions [such as] ‘subverting state power, undermining national unity or undermining social stability and/or damaging the honor and interests of the state’ and ‘destroying the state’s religious policies and propagating cults and feudal superstition’.
“These actions can be interpreted subjectively, and the statements are vague enough that many actions could potentially be considered against the law.”
Fowler concludes that the incident is a lesson in choosing a safe and reliable VPN service. Users can do this by ensuring that the service is clear about what data it collects, has DNS leak protection, has 128-bit or 256-bit AES encryption and has good reviews.