Seven VPNs tracked sensitive user data including home addresses, despite pledging not to

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Seven free VPNs from Hong Kong, which purportedly had no-log policies, were in fact found to be keeping track of vital information on their customers.

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN, all of which seemingly come from one developer with one product, yet are rebranded as different products.

It is advised that users change their passwords and change the login information of any other account that used such passwords and, if possible, switch to another service.

CompariTech discovered 894GB of records on an unsecured server belonging to UFO VPN.

The database was left exposed for almost three weeks, between 27 June and 15 July.

CompariTech says its research shows hackers can find and attack databases within hours of them being made vulnerable.

A following investigation was conducted by vpnMentor, which linked UFO VPN with the other aforementioned services.

Over one terabyte of information was left on unprotected servers, which included passwords saved in plain text as well as personal information such as email addresses, home addresses, phone models, and more.

Over 20 million VPN users have been affected.

A response from the UFO VPN team claimed that it was unable to lock down its data due to “personnel changes caused by COVID-19”.

It also claimed that data in the server was “anonymous and only be used for analyzing the user’s network performance & problems to improve service quality.”

Both vpnMentor and CompariTech investigations say that UFO VPN’s claims are untrue, highlighting data that mentions explicit names.

In any instance, such a claim reveals that UFO VPN did in fact keep logs on its users.

UFO VPN’s privacy policy stated that it does not “track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”

It appears that all the severs mentioned have a single recipient for payments, a company called Dreamfii HK Limited. The Independent has reached out to the company for comment.

Allegations fo such behaviour from a VPN provider is particularly troubling considering that VPNs are used to bypass restrictions on content from countries where such content is illegal.

The vpnMentor investigation highlighted an Iranian user accessing adult content via the VPN.

Recently, the Chinese government has also cracked down on Hong Kong citizens' freedom to protest and access to information with its national security law, so a VPN that does not adequately protect such information could put lives at risk.