21 million free VPN users’ data exposed

21 million free VPN users’ data exposed

Detailed credentials for more than 21 million mobile VPN app users were swiped and advertised for sale online last week, offered by a cyber thief who allegedly stole user data collected by the VPN apps themselves. The data includes email addresses, randomly generated password strings, payment information, and device IDs belonging to users of three VPN apps—SuperVPN, GeckoVPN, and ChatVPN.

The attacks, which have not been confirmed by the VPN developers, represent the most recent privacy broadsides against the VPN industry. Two similar blunders have been revealed to the public since 2019, including one massive data leak that exposed several VPN apps’ empty promises to collect “no logs” of their users’ activity. In that data leak, not only did the VPN providers fail to live up to their words, but they also hoovered up additional data, including users’ email addresses, clear text passwords, IP addresses, home addresses, phone models, and device IDs.

For the average consumer, then, the privacy pitfalls begin to paint an all-too-familiar portrait: Users continue to feel alone when managing their online privacy, even when they rely on tools meant to enhance that privacy.

Cybersecurity researcher Troy Hunt, who wrote about the recent data leak on Twitter, called the entire issue “a mess, and a timely reminder why trust in a VPN provider is so crucial.”

He continued: “This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data.”

The data leak of SuperVPN, GeckoVPN, and ChatVPN

In late February, a user on a popular hacking forum claimed that they’d stolen account information and credentials belonging to the users of three, separate VPNs apps available on the Google Play store for Android: SuperVPN, GeckoVPN, and ChatVPN.

The three apps vary wildly in popularity. According to Google Play’s count, ChatVPN has earned more than 50,000 installs, GeckoVPN has earned more than 10 million installs, and SuperVPN weighs in as one of the most popular free VPN apps for Android today, with more than 100 million installs to its name.

Despite SuperVPN’s popularity, it is also one of the most harshly reviewed VPN apps for Android devices. Last April, a writer for Tom’s Guide found critical vulnerabilities in the app that so worried him that the review’s headline directed current users to: “Delete it now.” And just one month later, a reviewer at TechRadarPro said that SuperVPN had a “worthless privacy policy” that was cobbled together from other companies’ privacy policies and which directly contradicted itself.

Not more than one year later, that privacy policy has again been thrown into the spotlight with a data leak that calls into question just what types of information the app was actually collecting.

According to the thief who pilfered the information from SuperVPN, GeckoVPN, and ChatVPN, the data for sale includes email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and a user’s “Premium” status and the corresponding expiration date. Following the forum post, the tech outlet CyberNews also discovered that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.

According to CyberNews, the data was taken from “publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.”

Past VPN errors

The unfortunate truth about the recent VPN app data leak is that this type of data mishap is nothing new.

In 2019, the popular VPN provider NordVPN confirmed to TechCrunch that it suffered a breach the year before. According to TechCrunch:

“NordVPN told TechCrunch that one of its data centers was accessed in March 2018. ‘One of the data centers in Finland we are renting our servers from was accessed with no authorization,’ said NordVPN spokesperson Laura Tyrell.

The attacker gained access to the server—which had been active for about a month—by exploiting an insecure remote management system left by the data center provider; NordVPN said it was unaware that such a system existed.”

NordVPN informed Malwarebytes that its customers’ data was not affected, and that the breached server did not contain any user activity logs or any other information that could be linked to a particular user.

Separate from the NordVPN breach, last July, seven VPN providers were found to have left 1.2 terabytes of private user data exposed online, according to a report published by the cybersecurity researchers at vpnMentor. According to the report, the exposed data belonged to as many as 20 million users. The data included email addresses, clear text passwords, IP addresses, home addresses, phone models, device IDs, and Internet activity logs.

The seven VPN providers investigated by vpnMentor were:

  • Fast VPN
  • Free VPN
  • Super VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

The researchers at vpnMentor also explained that there was good reason to believe that the seven apps were all made by the same developer. When analyzing the apps, vpnMentor discovered that all of them shared a common Elasticsearch server, were hosted on the same assets, shared the same, single payment recipient—Dreamfii HK Limited—and that at least three of the VPNs shared similar branding and layouts on their websites.

Finally, the report also highlighted the fact that all seven of the apps claimed to keep “no logs” of user activity. Despite this, vpnMentor said that it “found multiple instances of internet activity logs on [the apps’] shared server.”

The report continued: “We viewed detailed activity logs from each VPN, exposing users’ personal information and browsing activities while using the VPNs and unencrypted plain text passwords.”

So, not only did these apps fail to live up to their own words, but they also collected extra user data that most users did not anticipate. After all, most consumers might rightfully assume that a promise to refrain from collecting some potentially sensitive data would extend to a promise to refrain from collecting other types of data.

But, according to vpnMentor, that wasn’t the case, which is a clear breach of user trust.

Let’s put it another way:

Imagine choosing a video baby monitor that promised to never upload your audio recordings to the cloud, only to find that it wasn’t just sending those recordings to an unsecured server, but it was also snapping photos of your baby and sending those pictures along, too. 

Which VPN to trust?

The trust that you place into your VPN provider is paramount.

Remember, a VPN can help protect your traffic from being viewed by your Internet Service Provider, which could be a major telecom company, or it could be a university or a school. A VPN can also help protect you from government requests for your data. For instance, if you’re doing investigative work in another country with a far more restrictive government, a VPN could help obfuscate your Internet activity from that government, should it take interest in you.

The important thing to note here, though, is that a VPN is merely serving as a substitute for who sees your data. When you use a VPN, it isn’t your ISP or a restrictive government viewing your activity—it’s the VPN itself.

So, how do you find a trustworthy VPN provider who is actually going to protect your online activity? Here are a few guidelines:

  • Read trusted, third-party reviews. Many of the issues in the above apps were spotted by good third-party reviewers. When picking a VPN provider, rely on the words of some trusted outlets, such as Tom’s Guide, TechRadar, and CNET.
  • Ensure that a VPN provider has a customer support contact. Several of the VPN apps investigated by vpnMentor lacked any clear way to contact them. If you’re using a product, you deserve reliable, easy-to-reach customer support.
  • Check the VPN’s privacy policy. As we learned above, a privacy policy is not a guarantee for actual privacy protection, but a company’s approach to a privacy policy can offer insight into the company’s thinking, and how much it cares more about its promises.  
  • Be cautious of free VPNs. As we wrote about last week, free VPNs often come with significant trade-offs, including annoying ads and the surreptitious collection and sale of your data.
  • Consider a VPN made by a company you already trust. More online privacy and cybersecurity companies are offering VPN tools to supplement their current product suite. If you already trust any of those companies—such as Mozilla, Ghostery, ProtonMail, or, yes, Malwarebytes—then there’s good reason to trust their VPN products, too.

It’s a complicated online world out there, but with the right information and the right, forward-looking research, you can stay safe.


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.