Skip to main content

VPN breach of multiple services exposes millions of users' data: What to do

(Image credit: piranka/Getty Images)

A virtual private network (VPN) service is specifically intended to encrypt your internet traffic. It protects you and your data from any companies, governments, or individuals that may want it for things as relatively innocuous as targeted advertising or more nefarious purposes. 

Naturally, this makes security breaches of VPNs particularly frustrating and damaging. Recently,  a breach of UFO VPN customers' data was recently uncovered by the cybersecurity firm Comparitech. It's made all the worse by the company's claim that it is a "zero log" or "no-log" VPN service (via LifeHacker). 

Who is affected by the breach

Users of both free and paid UFO VPN accounts were found in the breached database, which according to the company's website could include approximately 20 million users. 

An article by Android Police identified several other VPN services that use a "common codebase and infrastructure" to UFO VPN and were guilty of similar leaks. These services include Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN. These services are smaller than UFO VPN, but have install totals of between ten thousand and one million each in the Play Store. 

How did the breach happen

With roughly 1TB of user logs apparently exposed in the breach according to some reports, it would seem that UFO VPN's definition of "zero" is wanting. 

The breach occurred due to a database of user logs and API access records that was left accessible "on the web without a password or any other authentication required to access it." UFO VPN attributed the problem to "personnel changes caused by COVID-19" which lead to bugs that went uncovered, but regardless of the reasoning, the damage was done. 

The security researchers notified UFO VPN of the breach on July 1 and it took over two weeks for the company to shut down the database in question. Subsequently, it popped up a second time on July 20 with even more data including records up to July 19. The company has not yet responded to this second occurrence.

 

What data was exposed in the breach

Based on Comparitech's review of the database the company believes that the user logs and API access records contained:

  • Account passwords in plain text
  • VPN session secrets and tokens
  • IP addresses of both user devices and the VPN servers they connected to
  • Connection timestamps
  • Geo-tags
  • Device and OS characteristics
  • URLS that appear to be domains from which advertisements are injected into free users' web browsers

What to do if your data was breached

The most critical threat is likely to be the exposed passwords. If you used UFO VPN or any of the other potentially impacted VPN services, and you reuse that password across any other services be certain to change it immediately.

Your email address would likely also be exposed, the most likely threat there is simply phishing attacks which hopefully you are accustomed to avoiding anyway.

The rest of the threats are based on decryption of your data to view your location and online activity while using the VPN service. Unfortunately, there is nothing really to be done about these issues as the data has already been exposed.