What To Do If Your VPN Leaked Your Data

Some VPNs – Virtual Private Networks – have leaked user data, according to recent reports.

VPNs work to provide their users with privacy and promise to keep no records that could identify users and reveal what they were doing on the internet. However, a report from cybersecurity firm CompariTech revealed that one of these VPNs, Hong Kong-based provider UFO VPN, has leaked information of their users.

This VPN promises users that it keeps “zero logs” of all their data and activities on the internet. However, the VPN exposed a database that contains sensitive data, including the following:

• User account passwords (in plain text)
• VPN session secrets and tokens
• IP addresses of both user devices as well as the VPN servers they connected to
• Geo-tags (which gives away user location)
• Connection timestamps
• Device and OS characteristics
• URLs that look like domains from which advertisements are injected into free users’ web browsers

While UFO VPN claims that the exposed data are “anonymous,” a quick look at the nature of the data shows the opposite. Furthermore, the leaked data indicates that the Hong Kong-based VPN violates its own privacy policy that says, “We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”

Widespread issue

What's even more disturbing here is the fact that UFO VPN shares the same codebase and setup with other VPNs that are widely used, Android Police reported. According to the report, a research team at vpnMentor discovered that there are at least six other VPNs that use the same infrastructure: FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN and Rabbit VPN.

All of these VPNs, along with UFO VPN, have leaked a total of 1.207 terabytes worth of user data, which wasn't supposed to be collected, much less leaked. All of these VPNs are available on the Google Play Store, each of them having 10,000 to 1 million installs. A problem this wide could've affected anybody.

What to do?

Those who have used or are using these VPNs are advised to at least change their account information as soon as possible, Lifehacker noted.

Users should update all accounts that use the compromised passwords, replace them with unique passwords, activate two-factor authentication and make sure to find a trustworthy VPN to use in the future.