7 Hong Kong based VPNs have been keeping unsecured user data in plain text

0
Data leak

If you’ve read the site recently, you’ll know we’ve been keen to promote ways to ensure that your most private activity is private – and we’re about to show you why that research is important.

VPNs are a requirement for anyone privacy-minded online in 2020, but picking the wrong one can be costly. This week, seven VPNs based in Hong Kong were found to be logging customer data, rather defeating the point of the service.

ONLY $9.95
Code: SEXTECHGUIDE
Advertisement
over 55,000 scenes!
AdultTime
Over 300 Channels
Interactive Sex Toys
Original Content Subtitled In 7 Languages
24/7 Customer & Technical Support
Compatible With Any Device: Mobile, Desktop, TV, Tablet
Works on FireTV And Chromecast!

Worse still, the data has been discovered in one of those ‘leaky buckets’ we’ve been telling you about. In other words, the data was accessible to anyone with a bit of knowledge – no hacking required.

The affected apps are, predictably, all part of the same developer’s arsenal – Dreamfii HK Limited – and go by the following names:

  • UFO VPN
  • FAST VPN
  • Free VPN
  • Super VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

The unsecure content is seriously troubling – it includes names, email addresses, passwords in plain text, IP addresses, home addresses, logs of your internet activity along with device IDs of hardware.

Two White Hat Hackers discovered the server at roughly the same time. Both, Ran Locar and Bob Diachenko, have asked Dreamfii why the VPNs are collecting so much data, and why it isn’t secured. The server is now secure, but neither hacker received a reply.

If you’re reading this in a relatively liberal country, you may think this isn’t a massive deal, but look at it this way. Imagine you’re LGBTQ+ and living in a country where that is illegal.

Your VPN is your lifeline, and you are paying for absolute privacy and security – and you should be able to trust that’s what you’re getting, as you have no way of checking.

If the leaky data got into your governments’ hands, either through investigation or blackmail, you could find your life utterly ruined – at best.

VPN security is massively important. We’ve already given you a list of our favorites, but if you want to cast a wider net, remember two things:

  • Firstly – Free VPNs are, for the most part, too good to be true. There are exceptions, but for the most part, if you’re being offered a service like this for free, listen for the alarm bells.
  • Second – and this is massively important – get an independent verification that your choice of VPN is doing what it says it is. All the Dreamfii apps claim to be “No Logs”. We now know that isn’t true.

UPDATE: After we published this story, we discovered via Betanews that UFO VPN had left another, newer leaky bucket on the internet. It’s not entirely clear why lightning struck twice, though security researchers have suggested that they moved to a new Elasticsearch account and made exactly the same mistake.

Fortunately, this second database is no longer a problem – a coordinated attack by security researchers using the ‘Meow’ malware strain has completely destroyed the data in that second bucket. Storage attacked by this particular nasty is completely destroyed except for a string of digits and the word ‘Meow’. Who says all computer malware is bad? Though this probably was too, from Dreamfii’s perspective.

Read Next: Privacy 101: How to keep your browsing and other online activity as private as possible

Affiliate Disclosure
Some articles contain affiliate links that allow us to earn money if you decide to purchase any of these products or services. This does not cost you any extra money, and it allows us to continue to run this website. Affiliate links have no relation to review ratings or other editorial coverage. You can read the full policy here.

Chris M

Chris M

Chris has worked in technology journalism for over a decade, and brings his nerdy expertise to looking at what goes on under the hood of sex tech.

Be the first to leave a comment

Leave a reply