1.2 TB of VPN Logs Leaked from “No-Log” Providers
Most VPN service providers claim they do not monitor their users or keep any logs. Unfortunately, this is not always true. Recently, Bob Diachenko, a specialist at Comparitech, discovered a leak of user data collected by a VPN provider that allegedly did not keep logs.
It all started when Diachenko found an unsecured Elasticsearch cluster online containing 894 GB of data belonging to UFO VPN. The logs meticulously recorded:
- Account passwords (in plain text)
- VPN session secrets and tokens
- IP addresses of user devices and VPN servers they connected to
- Connection timestamps
- Location information
- Device and OS version details
- Web domains used to inject ads into browsers of UFO VPN’s free version users
Meanwhile, UFO VPN’s privacy policy states that the service does not track user activity outside the company’s website and does not collect any data.
According to Comparitech, more than 20,000,000 new records are added to UFO VPN’s logs every day. Diachenko reports that he notified the provider about the data leak on July 1, 2020, but received no response. Only weeks later did the database disappear from public view and stop appearing in Shodan searches, after the specialist contacted UFO VPN’s hosting provider.
Leak Affects Multiple VPN Providers
Specialists from VPNmentor also discovered this leak. They report that the issue affects not only UFO VPN and its users but also six other Hong Kong-based VPN providers: FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. Apparently, all these names are linked to a single organization that offers a white-label platform for VPN services. Of course, all these providers claim they do not keep any logs.
All the listed providers used the same unsecured Elasticsearch cluster. In total, researchers found about 1.2 TB of data publicly accessible: 1,083,997,361 logs, many containing sensitive information.
The logs included:
- Information about visited websites
- Connection logs
- User names
- Email addresses and home addresses
- Passwords in plain text
- Payment information for Bitcoin and PayPal
- Support messages
- User device specifications
- Account information
For example, the logs contained PayPal payment details from a user in the United States.
“Each of these VPN providers claims their service does not keep logs, meaning they do not record any user activity in their apps. However, we found numerous instances of internet activity logs on their shared server. This is in addition to personal information, which included email addresses, plain text passwords, IP addresses, home addresses, phone models, device IDs, and other technical details,” VPNmentor experts wrote.
VPNmentor researchers even created an account with one of the providers and later found it in the logs, along with their email address, location, IP address, device, and the servers they connected to.
Provider Response and Expert Opinions
The specialists notified the providers about the issue and the need to remove the cluster from public access, and even reported the situation to HK-CERT. However, no immediate action was taken to fix the incident.
Only weeks later did UFO VPN representatives release an official statement, saying that due to the coronavirus pandemic, they were unable to properly secure user data and failed to notice a firewall configuration error in time.
The provider also claims that the logs found by experts were anonymous and kept solely for bandwidth monitoring, though some records may have contained IP addresses, as well as account tokens and secrets. The provider insists there were no plain text passwords in the logs, and that experts may have mistaken session tokens for passwords. Regarding email addresses, UFO VPN explains that sometimes users send feedback containing their email addresses, but these make up less than one percent of the data.
Experts from Comparitech and VPNmentor strongly disagree with the provider’s position, stating that the data found was definitely not anonymous. They recommend all users change their passwords immediately.