If you’ve read the site recently, you’ll know we’ve been keen to promote ways to ensure that your most private activity is private – and we’re about to show you why that research is important.

VPNs are a requirement for anyone privacy-minded online in 2020, but picking the wrong one can be costly. This week, seven VPNs based in Hong Kong were found to be logging customer data, rather defeating the point of the service.

Worse still, the data has been discovered in one of those ‘leaky buckets’ we’ve been telling you about. In other words, the data was accessible to anyone with a bit of knowledge – no hacking required.

The affected apps are, predictably, all part of the same developer’s arsenal – Dreamfii HK Limited – and go by the following names:

  • Free VPN
  • Super VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

The unsecure content is seriously troubling – it includes names, email addresses, passwords in plain text, IP addresses, home addresses, logs of your internet activity along with device IDs of hardware.

Two White Hat Hackers discovered the server at roughly the same time. Both, Ran Locar and Bob Diachenko, have asked Dreamfii why the VPNs are collecting so much data, and why it isn’t secured. The server is now secure, but neither hacker received a reply.

If you’re reading this in a relatively liberal country, you may think this isn’t a massive deal, but look at it this way. Imagine you’re LGBTQ+ and living in a country where that is illegal.

Your VPN is your lifeline, and you are paying for absolute privacy and security – and you should be able to trust that’s what you’re getting, as you have no way of checking.

If the leaky data got into your governments’ hands, either through investigation or blackmail, you could find your life utterly ruined – at best.

VPN security is massively important. We’ve already given you a list of our favorites, but if you want to cast a wider net, remember two things:

  • Firstly – Free VPNs are, for the most part, too good to be true. There are exceptions, but for the most part, if you’re being offered a service like this for free, listen for the alarm bells.
  • Second – and this is massively important – get an independent verification that your choice of VPN is doing what it says it is. All the Dreamfii apps claim to be “No Logs”. We now know that isn’t true.

UPDATE: After we published this story, we discovered via Betanews that UFO VPN had left another, newer leaky bucket on the internet. It’s not entirely clear why lightning struck twice, though security researchers have suggested that they moved to a new Elasticsearch account and made exactly the same mistake.

Fortunately, this second database is no longer a problem – a coordinated attack by security researchers using the ‘Meow’ malware strain has completely destroyed the data in that second bucket. Storage attacked by this particular nasty is completely destroyed except for a string of digits and the word ‘Meow’. Who says all computer malware is bad? Though this probably was too, from Dreamfii’s perspective.

Read Next: Privacy 101: How to keep your browsing and other online activity as private as possible