Image: Gem Fortune (Pexels)

The list of VPN providers that you’ll definitely want to avoid has gotten bigger. VPN Mentor is reporting that a group of Hong Kong-based services, which include UFO VPN, Secure VPN, and Rabbit VPN, leaked personally identifiable data for as many as 20 million users! How sensitive was the information, you ask? Well, the data comprises complete activity logs to clear-text passwords and Bitcoin payment information. Needless to say, that’s a huge yikes.

Data Breach Summary

AppsUFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, Rabbit VPN
Headquarters/LocationHong Kong
IndustryCybersecurity
Total size of data 1.207 TB
Total number of files1,083,997,361 records
No. of people exposedOver 20 million, based on user numbers claimed by the VPNs
Geographical scopeWorldwide
Types of data exposedActivity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links
Potential impactFraud, doxing, blackmail, extortion, viral attack, and hacking, arrest, and persecution
Data storage formatElasticSearch Server

And here are some of the brands that the VPNs are marketed under. You may want to avoid these at all costs.

  • UFO VPN – “Super private & unlimited fast VPN for Android. Hide IP, unblock sites from 360.”
    • Google Play Store: Rating 4.5 stars, 10M+ downloads
    • Apple App Store: 4.8 stars
    • Developer: Dreamfii HK Limited, Hong Kong
  • FAST VPN – “100% Free VPN for gaming: access websites, apps and mobile games unlimited”
    • Google Play Store: Rating 4.5 stars, 1M+ downloads
    • Apple App Store: Rating 4.6 stars
    • Developer: Mobipotato HK Limited, Hong Kong
  • FREE VPN – “The best free VPN tunnel for android to unblock content. Feel the outer space!”
    • Google Play Store: Rating 4.5 stars, 100k+ downloads
    • Apple App Store: Rating 4.6 stars
    • Developer: Starxmobi HK Ltd, Hong Kong
  • Super VPN – “Super VPN is the best unlimited VPN proxy for android.”
    • Google Play Store: 4.6 stars, 1M+ downloads
    • Apple App Store: 4.9 stars
    • Developer: Nownetmobi, Hong Kong

Logged Web Activity and Technical Details

  • Connection logs, traffic, and sites visited
  • Origin IP addresses
  • Internet Service Provider (ISP)
  • Actual location
  • Device type
  • Device ID
  • App version
  • Phone models
  • User network connection

Amusingly, here’s what UFO states in its privacy policy: “We do not track user activities outside of our site, nor do we track the website browsing or connection activities of users who are using our Services.” So much for that!

Join the Conversation

5 Comments

  1. How hard is it to configure a script to 1. not log anything 2. delete log after xx minutes.
  2. I still don’t use a VPN. I especially wouldn’t use any service coming out of HK now that China has taken over.
  3. I switched from IPVanish (Read they gave up logs in a criminal case)to P.I.A. (Who got bought out by a malware company) to SurfShark .. I guess we’ll see how that goes..
  4. I do not believe any no-log VPN service. I am sure one or two exist but I just do not trust people like that. Do you want a no log service? Make your own VPN and host it on your own network.
Leave a comment