Skip to main content

Free VPN reportedly exposed 25 million user records — here's the culprit

Password Managers
(Image credit: Snappa)

A free VPN app on the Google Play Store exposed 25 million user records, including 18.5GB connection logs that could lead to threat actors finding out a user's email address, location, and more.  

Discovered by Cybernews, free VPN service BeanVPN left over 25 million records open to the public, with Play Service IDs, IP addresses, connection timestamps and even user devices made publically available. The information was spotted on ElasticSearch, a free and open search and analytics engine, but the report states the search instance is now closed. 

The BeanVPN app has more than 50,000 downloads on the Google Play Store, and is developed by IMSOFT. It isn't available on the App Store, but Android phone users should be aware.

What's worse, the company's privacy policy states: "we do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, i.e., no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration."

The BeanVPN website has no information about the app, and instead promotes a "TeleFly for Telegram" app for MTProto proxy servers for Telegram. Cybernews reached out to the BeanVPN developer, but there has been no response. 

(Image credit: BeanVPN)

"The information found in this database could be used to de-anonymize BeanVPN's users and find their approximate location using geo-IP databases," Cybernews security researcher Aras Nazarovas stated. "The Play Service ID could also be used to find out the user's email address that they are signed in to their device with." 

Free VPNs can be risky

A VPN provides anonymity when browsing on public Wi-Fi, bypasses region-restricted websites, and keeps your online activity encrypted. By exposing user records, BeanVPN can't be used as a trusted service. Many free VPN options use weak encryption so attackers can easily access them, or worse, the VPN service can log your data and sell it off.

While they offer the ability to get past censored sites in a region, free VPN services can lead to leaked information that can be used to find out your real IP address and ID, meaning threat actors can find out your location and your email address. Some free VPNs are more trusted than others, including Hide.me VPN and Windscribe, but it's always a good idea to check their privacy policy, reviews, and potential news on leaked data.

The best VPN services require a fee, but they are known for their tight security and fast speeds. For a better look at what you can use a VPN for, check out these five reasons why you need a VPN

Darragh Murphy is fascinated by all things bizarre, which usually leads to assorted coverage varying from washing machines designed for AirPods to the mischievous world of cyberattacks. Whether it's connecting Scar from The Lion King to two-factor authentication or turning his love for gadgets into a fabricated rap battle from 8 Mile, he believes there’s always a quirky spin to be made. With a Master’s degree in Magazine Journalism from The University of Sheffield, along with short stints at Kerrang! and Exposed Magazine, Darragh started his career writing about the tech industry at Time Out Dubai and ShortList Dubai, covering everything from the latest iPhone models and Huawei laptops to massive Esports events in the Middle East. Now, he can be found proudly diving into gaming, gadgets, and letting readers know the joys of docking stations for Laptop Mag.