UFO VPN, who claim to offer 0 logs on both their FREE and PAID VPN expose millions of users data, including emails and passwords.
UFO VPN – a Hong Kong based VPN, exposed a huge database of its user’s logs and API access records to the internet, which could be accessed without a password.
The database contained plain text passwords, emails, information about the user, including their activity logs, and the IP addresses used to connect to the service.
This week, we reported news about the latest National Security Law in Hong Kong that allows authorities to seize VPN servers without the need for a warrant and this data dump is yet another warning to those of you stil using VPN services based in Hong Kong.
The leader of Comaritechs Security research team, Bob Diachenko, discovered the exposure which affects both free and paid users of UFO VPN and immediately alerted the company when he discovered the dump back in July.
“It’s not clear how many users are affected, but our findings suggest that potentially all users who connected to UFO VPN at the time of exposure could be compromised. UFO VPN claims to have 20 million users on its website, and the database exposed more than 20 million logs per day.”
Quote by Comparitech.com
After 2 weeks of sending their findings to UFO VPN, including the disclosure, UFO VPN shutdown their database and responded via email with the following ;
“Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.”
“We don’t collect any information for registering,” the spokesperson said. “In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.”
UFO VPN response to the exposure
Whilst UFO VPN claim they are a 0 logs policy provider, the recent exposure suggests otherwise.
What to do if you use UFO VPN?
If you are a UFO customer of either the FREE or PAID versions of their VPN, we recommend changing your password immediately.
As the passwords were exposed, it is possible the accounts may have been shared across the internet, or more possibly the deep web, which some hackers may attempt to sell.
Secure your account by changing your personal details, including password, and in our opinion, as UFO VPN are based in Hong Kong, who now have to legally hand over any server information without a warrant, due to the recent National Security Law in China, we recommend switching your VPN provider.
We have a list of trusted and fast VPN services on our deals and offers page. You can also bag yourself a long term discount when finding the best VPN for you.
What data was exposed from UFO VPN?
894 GB of data was stored in an unsecured Elasticsearch cluster. UFO VPN claimed the data was “anonymous”, but based on the evidence at hand, we believe the user logs and API access records included the following info:
- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
“We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”
Dangers of exposed data
If bad actors managed to get their hands on the data before it was secured, it could pose several risks to UFO VPN users.
The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.
IP addresses could be used to discern users’ whereabouts and corroborate their online activity. VPNs are often used to hide users’ real locations and online activity.
The session secrets and tokens could be used to decrypt session data that an attacker might have captured. For example, if an attacker intercepted encrypted data being sent through the VPN on a compromised wi-fi network, they could conceivably decrypt that data with this information.
Email addresses could be used to target users with tailored phishing messages and scams.
This exposure demonstrates why we routinely encourage readers to avoid free VPN services, which tend to have subpar security and privacy standards. Ideally, a VPN service should keep no logs including IP addresses.
Thanks to Comparitech for the insight, and follow our social pages to stay up to date with the latest VPN news and offers.