A free VPN app on the Google Play Store exposed 25 million user records, including 18.5GB connection logs that could lead to threat actors finding out a user's email address, location, and more.
Discovered by Cybernews, free VPN service BeanVPN left over 25 million records open to the public, with Play Service IDs, IP addresses, connection timestamps and even user devices made publically available. The information was spotted on ElasticSearch, a free and open search and analytics engine, but the report states the search instance is now closed.
The BeanVPN app has more than 50,000 downloads on the Google Play Store, and is developed by IMSOFT. It isn't available on the App Store, but Android phone users should be aware.
The BeanVPN website has no information about the app, and instead promotes a "TeleFly for Telegram" app for MTProto proxy servers for Telegram. Cybernews reached out to the BeanVPN developer, but there has been no response.
"The information found in this database could be used to de-anonymize BeanVPN's users and find their approximate location using geo-IP databases," Cybernews security researcher Aras Nazarovas stated. "The Play Service ID could also be used to find out the user's email address that they are signed in to their device with."
Free VPNs can be risky
A VPN provides anonymity when browsing on public Wi-Fi, bypasses region-restricted websites, and keeps your online activity encrypted. By exposing user records, BeanVPN can't be used as a trusted service. Many free VPN options use weak encryption so attackers can easily access them, or worse, the VPN service can log your data and sell it off.
The best VPN services require a fee, but they are known for their tight security and fast speeds. For a better look at what you can use a VPN for, check out these five reasons why you need a VPN.