This post was originally published July 30, 2020.
Seven free VPN providers that assured users they don’t keep activity logs have left their servers exposed to the public, containing, you guessed it, troves of personally identifiable information.
The server hosting the data was first cached and indexed by search engine Shodan on June 27 and remained online for over two weeks. It’s impossible to say whether any unauthorized individuals accessed the information, which could be used for identity theft, phishing attacks, or blackmail.
[Interested in more internet security news? Sign up for the ExpressVPN blog newsletter.]
The exposed user data, reported by Comparitech’s Bob Diachenko and VPN Mentor’s Noam Rotem, was initially linked to Hong Kong-based UFO VPN. Further investigations found a slew of free VPNs also exhibiting the same leaks, including FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.
All the VPNs in question are based in Hong Kong and appear to share the same parent company, as they have a single recipient for their paid tiers and, in some cases, almost identical branding on their websites.
Another thing that they all have in common? They all claim to be “no-log” VPNs, meaning that they don’t store records of users’ web activity.
Keeping no logs is a crucial security feature that many VPN services claim to provide. But this data leak, rife with user logs, revealed that the seven VPNs failed to live up to this claim.
The data uncovered by the security researchers included account passwords in clear text, details on IP addresses, location information, device characteristics, type of operating system used, and specifics on the VPN servers that they connected to.
In some cases, the databases also stored payment information logs such as PayPal APIs, user support inquiries, users’ home or work addresses, and detailed session data such as the types of sites visited and time spent.
In total, over 20 million records were exposed across the suite of offending free VPN apps.
Free VPNs have a history of dubious business practices, and in this case they’ve displayed an egregiously false representation of their terms of service and privacy policy.
How does ExpressVPN keep you safe?
At ExpressVPN, we’re fanatical about your privacy and security. We never collect logs of your internet activity, and we never store connection logs either. But we’ve gone a step further to protect our users’ privacy and security by developing our in-house TrustedServer technology.
The traditional way of running servers relies on hard drives, which collect and retain data until it is erased. This raises the risk that servers could inadvertently contain sensitive information. TrustedServer has our VPN servers running on volatile memory (RAM), which means nothing can remain on a server when it is rebooted—neither data nor potential intruders.
But don’t just take our word for it. Independent auditors at PwC reviewed our systems and processes to verify our privacy policy and our claims about TrustedServer.
At ExpressVPN, we believe that internet users should be empowered to make informed decisions when choosing a risk-free VPN. That’s why we work with the Center for Democracy and Technology to promote responsible disclosure in the VPN industry.
Read more about the steps we take to protect our users and earn their trust.