A total of seven VPNs that claim “no log” policy on their websites have exposed user data amounting to 1.2 TB, according to a report from Comparitech and further investigation from vpnMentor.
According to the initial report, China-based UFO VPN leaked close to 894GB of data, despite having a no-logging policy. The exposed data includes passwords, IP addresses, VPN session tokens, the operating system used, and more. The free VPN app has over 10 million downloads on the Google Play Store. Comparitech found data logs in an unsecured Elasticsearch cluster and said over 20 million data entries were being added every day.
VpnMentor later discovered that six more VPNs shared the infrastructure and database with UFO VPNs, bringing the total exposed data to 1.2TB. All of these have downloads ranging from 100,000 to a million and have mentioned zero log policy on their respective websites. These so-called free VPNs are —
- UFO VPN
- FAST VPN
- Free VPN
- Super VPN
- Flash VPN
- Secure VPN
- Rabbit VPN (no longer available on Google Play Store)
Despite Comparitech informing UFO VPN first, it didn’t secure the data until vpnMentor’s team reached out and that was at least 18 days later. Interestingly, the UFO VPN team claims that they were unable to secure the data due to the Coronavirus.
UFO VPN also said that the VPN service keeps “anonymized” data logs for traffic monitoring, despite knowing that the leaked data contains IP addresses, passwords, and more. In fact, the research team from vpnMentor said some records even had home addresses, payment information, device information, etc.
All seven VPNs have the same payment provider Dreamfii HK Limited and few even have similar UI on their websites. If you use any of the above mentioned VPNs, we would advise you to switch to a premium VPN or at least change your login credentials. You can also go through our list of trusted free VPN Android apps.
This is not the first time “free VPNs” have been accused of collecting user data. Last year, over twenty VPN apps, with more than 35 million downloads were discovered harvesting user data.