Seven VPNs tracked sensitive user data including home addresses, despite pledging not to

All of these VPNs seemingly came from one company, Dreamfii HK Limited, with a shared server

Adam Smith
Monday 20 July 2020 14:39 BST
Comments
(Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

Seven free VPNs from Hong Kong, which purportedly had no-log policies, were in fact found to be keeping track of vital information on their customers.

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, all of which seemingly come from one developer with one product, yet are rebranded as different products.

It is advised that users change their passwords and change the login information of any other account that used such passwords and, if possible, switch to another service.

CompariTech discovered 894GB of records on an unsecured server belonging to UFO VPN.

The database was left exposed for almost three weeks, between 27 June and 15 July.

CompariTech says its research shows hackers can find and attack databases within hours of them being made vulnerable.

A following investigation was conducted by vpnMentor, which linked UFO VPN with the other aforementioned services.

Over one terabyte of information was left on unprotected servers, which included passwords saved in plain text as well as personal information such as email addresses, home addresses, phone models, and more.

Over 20 million VPN users have been affected.

A response from the UFO VPN team claimed that it was unable to lock down its data due to “personnel changes caused by COVID-19”.

It also claimed that data in the server was “anonymous and only be used for analyzing the user’s network performance & problems to improve service quality.”

Both vpnMentor and CompariTech investigations say that UFO VPN’s claims are untrue, highlighting data that mentions explicit names.

In any instance, such a claim reveals that UFO VPN did in fact keep logs on its users.

UFO VPN’s privacy policy stated that it does not “track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”

It appears that all the severs mentioned have a single recipient for payments, a company called Dreamfii HK Limited. The Independent has reached out to the company for comment.

Allegations fo such behaviour from a VPN provider is particularly troubling considering that VPNs are used to bypass restrictions on content from countries where such content is illegal.

The vpnMentor investigation highlighted an Iranian user accessing adult content via the VPN.

Recently, the Chinese government has also cracked down on Hong Kong citizens' freedom to protest and access to information with its national security law, so a VPN that does not adequately protect such information could put lives at risk.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in