Free VPNs from Hong Kong with ‘no-log policy’ experience data leak

When it comes to anything on the Internet, there typically is no such thing as “free” software. While there are exceptions, especially within the open-source community, most “free” software is actually using its consumer’s data as payment. This is especially the case with free VPN services, as they may promise encrypted connections and Internet anonymity when actuality they are collecting private data. Many of these companies use the promise of “no-logging” to lure in users, only to be later exposed as falsely claiming to use no-log policies.

This is becoming readily apparent in a recent data leak incident that involves multiple free VPNs. As reported by Balaji N of, the following VPNs are reporting a data breach:

  • Free VPN
  • Super VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

All of the VPNs listed are based in Hong Kong and promise their users an ironclad no-log policy. As the breach has shown, however, the opposite is true, as roughly 1.2TB of personal data is exposed. The data belongs to more than 20 million customers and includes “activity logs, PII (names, emails, home address), cleartext passwords, bitcoin payment information, support messages, personal device information, tech specs, account info, direct PayPal API links.”

The breach stems from an Elasticsearch server belonging to what appears to be the parent company of these VPNs. The company in question is Dreamfii HK Limited, and while their ownership was never explicitly made known, all data from these seven free VPNs converge in their server.

It is safe to say that any user of the VPNs mentioned above is in grave danger of having their data used for nefarious purposes. The best course of action is to immediately stop using these free VPNs, check for suspicious activity on banking statements, be aware of social engineering attacks that use this data, and ultimately find another VPN to use.

The adage is true: You get what you pay for.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

See the light: How to avoid webcam hacking

With so many employees video conferencing from home, the webcam may be a portal to…

3 days ago

Using Intel VTune Profiler performance analyzer on Hyper-V VMs

The Intel VTune Profiler performance analyzer can do more than monitor a system’s CPU utilization.…

3 days ago

The evolution of backup: Interview with Altaro’s Simon Attard

Backup is not the glitziest part of an IT pro’s job, but it may be…

4 days ago

U.S. Department of Veterans Affairs experiences data breach

A successful cyberattack initiated by a social engineering campaign has caused a data breach at…

4 days ago

How to turn off or restart Windows 10 updates: Step-by-step guide

In this article, we'll show you how to turn off or restart updates in Windows…

4 days ago

Five native Windows Admin Center extensions you need to know about

Windows Admin Center is becoming the tool of choice for managing Windows Server deployments. Here…

5 days ago