VPN firm that claims zero logs policy leaks 20 million user logs

Authored by hackread.com and submitted by drakanx
image for VPN firm that claims zero logs policy leaks 20 million user logs

The VPN company in the discussion is a Hong Kong-based UFO VPN owned by Dreamfii HK Limited.

Perhaps, the most ironic moments in the cybersecurity world occur when those who promise to protect your online privacy cannot guard their own turf. We’ve seen this happen from time to time with security firms getting hacked themselves.

Another similar case has emerged recently when the database of a Hong Kong-based VPN provider called UFO VPN was exposed with more than 20 million users logs.

Discovered by researchers from Comparitech on July 1st, 2020; the exposure occurred due to the database hosted on an Elasticsearch cluster being left without any password.

See: PureVPN claimed it does not keep logs, yet it provided user logs to the FBI

Worth 894 GB, the data allegedly included plaintext passwords, IP addresses, timestamps of user connections, session tokens, information of the device, and OS being used along with geographical information in the form of tags.

The implications of this are pretty dangerous in that not only user accounts are at risk of being taken over by malicious actors but users can also be tracked online.

Furthermore, using the session tokens, any encrypted data that someone gains access to could also be decrypted rendering the entire concept of encryption useless in this scenario.

This, as Comparitech has rightly pointed out, goes against the service provider’s privacy policy and the promises of a zero log policy it has communicated to its users:

UFO VPN does not collect, monitor, or log any traffic or use of its Virtual Private Network service, under any circumstances, on any platform.

See: Israeli firm buys Private Internet Access (PIA) VPN raising privacy concerns

The incident was reported to UFO VPN and the database was secured yesterday on 15 July. The company, on the other hand, claims that due to the certain employee being changed because of the Coronavirus, the issue could not be identified earlier stating the following:

In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.

This though of course if what the company seems to be saying to mitigate the damage to its reputation with the facts clearly suggesting otherwise. For the future, hence, it remains to see if the firm improves its security practices and how many users jump ship. Users of the provider are suggested to immediately change their account passwords as they may be at risk.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

managerms on July 18th, 2020 at 08:56 UTC »

That website gets a big fat F. Looks like it was built by viruses.

cferrios on July 18th, 2020 at 06:45 UTC »

From this article:

894 GB of data was stored in an unsecured Elasticsearch cluster. UFO VPN claimed the data was “anonymous”, but based on the evidence at hand, we believe the user logs and API access records included the following info:

Account passwords in plain text VPN session secrets and tokens IP addresses of both user devices and the VPN servers they connected to Connection timestamps Geo-tags Device and OS characteristics URLs that appear to be domains from which advertisements are injected into free users’ web browsers

Who the hell still stores passwords in plain-text?

EDIT: /u/billdietrich1 is correct, the leak only confirms that account passwords are exposed in plain text in the logs which is by itself extremely bad.

1-760-706-7425 on July 18th, 2020 at 06:29 UTC »

For anyone freaking out: it was UFO VPN.