[BreachExchange] VPN firm that claims zero logs policy leaks 20 million user logs
Destry Winant
destry at riskbasedsecurity.com
Fri Jul 17 01:09:26 EDT 2020
https://www.hackread.com/vpn-firm-zero-logs-policy-leaks-20-million-user-logs/
The VPN company in the discussion is a Hong Kong-based UFO VPN owned
by Dreamfii HK Limited.
Perhaps, the most ironic moments in the cybersecurity world occur when
those who promise to protect your online privacy cannot guard their
own turf. We’ve seen this happen from time to time with security firms
getting hacked themselves.
Another similar case has emerged recently when the database of a Hong
Kong-based VPN provider called UFO VPN was exposed with more than 20
million users logs.
Discovered by researchers from Comparitech on July 1st, 2020; the
exposure occurred due to the database hosted on an Elasticsearch
cluster being left without any password.
Worth 894 GB, the data allegedly included plaintext passwords, IP
addresses, timestamps of user connections, session tokens, information
of the device, and OS being used along with geographical information
in the form of tags.
The implications of this are pretty dangerous in that not only user
accounts are at risk of being taken over by malicious actors but users
can also be tracked online.
Furthermore, using the session tokens, any encrypted data that someone
gains access to could also be decrypted rendering the entire concept
of encryption useless in this scenario.
This, as Comparitech has rightly pointed out, goes against the service
provider’s privacy policy and the promises of a zero log policy it has
communicated to its users:
UFO VPN does not collect, monitor, or log any traffic or use of its
Virtual Private Network service, under any circumstances, on any
platform.
The incident was reported to UFO VPN and the database was secured
yesterday on 15 July. The company, on the other hand, claims that due
to the certain employee being changed because of the Coronavirus, the
issue could not be identified earlier stating the following:
In this server, all the collected information is anonymous and only be
used for analyzing the user’s network performance & problems to
improve service quality. So far, no information has been leaked.
This though of course if what the company seems to be saying to
mitigate the damage to its reputation with the facts clearly
suggesting otherwise. For the future, hence, it remains to see if the
firm improves its security practices and how many users jump ship.
Users of the provider are suggested to immediately change their
account passwords as they may be at risk.
More information about the BreachExchange
mailing list