When it comes to anything on the Internet, there typically is no such thing as “free” software. While there are exceptions, especially within the open-source community, most “free” software is actually using its consumer’s data as payment. This is especially the case with free VPN services, as they may promise encrypted connections and Internet anonymity when actuality they are collecting private data. Many of these companies use the promise of “no-logging” to lure in users, only to be later exposed as falsely claiming to use no-log policies.
This is becoming readily apparent in a recent data leak incident that involves multiple free VPNs. As reported by Balaji N of cybersecuritynews.com, the following VPNs are reporting a data breach:
- UFO VPN
- FAST VPN
- Free VPN
- Super VPN
- Flash VPN
- Secure VPN
- Rabbit VPN
All of the VPNs listed are based in Hong Kong and promise their users an ironclad no-log policy. As the breach has shown, however, the opposite is true, as roughly 1.2TB of personal data is exposed. The data belongs to more than 20 million customers and includes “activity logs, PII (names, emails, home address), cleartext passwords, bitcoin payment information, support messages, personal device information, tech specs, account info, direct PayPal API links.”
The breach stems from an Elasticsearch server belonging to what appears to be the parent company of these VPNs. The company in question is Dreamfii HK Limited, and while their ownership was never explicitly made known, all data from these seven free VPNs converge in their server.
It is safe to say that any user of the VPNs mentioned above is in grave danger of having their data used for nefarious purposes. The best course of action is to immediately stop using these free VPNs, check for suspicious activity on banking statements, be aware of social engineering attacks that use this data, and ultimately find another VPN to use.
The adage is true: You get what you pay for.
Featured image: Shutterstock