Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.
Bob Diachenko, who leads Comparitech’s security research team, uncovered the exposure, which affects both free and paid users of UFO VPN. He immediately alerted the company upon discovering the exposed data on July 1, 2020.
Update July 21, 2020: After the exposed data had been secured, it resurfaced a second time on July 20 at a different IP address. This dataset, which we believe was exposed a second time by UFO VPN, was even bigger and contains records as recent as July 19.
It’s not clear how many users are affected, but our findings suggest that potentially all users who connected to UFO VPN at the time of exposure could be compromised. UFO VPN claims to have 20 million users on its website, and the database exposed more than 20 million logs per day.
More than two weeks after we sent a disclosure to UFO VPN, the company shut down the database and responded by email, “Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.”
“We don’t collect any information for registering,” the spokesperson said. “In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.” [sic]
But based on some sample data, we do not believe this data to be anonymous. We are in contact with UFO VPN to verify our findings and will update this article accordingly.
We recommend UFO VPN users change their passwords immediately, and the same goes for any other accounts that share the same password.
Timeline of the exposure
The database was exposed for almost three weeks in total. Here’s what we know:
- June 27, 2020: The server hosting the data was first indexed by search engine Shodan.io
- July 1, 2020: Diachenko discovered the exposed data and immediately notified UFO VPN
- July 14, 2020: Diachenko notified the hosting provider
- July 15, 2020: The database was secured.
- July 20, 2020: The database was exposed a second time with data as recent as July 19.
- July 20, 2020: The second exposed dataset was attacked, and almost all of the records destroyed by a “Meow” bot attack. Only newly added records remained.
We do not know if any unauthorized parties accessed the data while it was exposed. Our own research shows that hackers can find and attack databases within hours of being made vulnerable.
What data was exposed?
894 GB of data was stored in an unsecured Elasticsearch cluster. UFO VPN claimed the data was “anonymous”, but based on the evidence at hand, we believe the user logs and API access records included the following info:
- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Geo-tags
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
Much of this information appears to contradict UFO VPN’s privacy policy, which states:
“We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”
See UFO VPN’s privacy policy here.
Dangers of exposed data
If bad actors managed to get their hands on the data before it was secured, it could pose several risks to UFO VPN users.
The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.
IP addresses could be used to discern users’ whereabouts and corroborate their online activity. VPNs are often used to hide users’ real locations and online activity.
The session secrets and tokens could be used to decrypt session data that an attacker might have captured. For example, if an attacker intercepted encrypted data being sent through the VPN on a compromised wi-fi network, they could conceivably decrypt that data with this information.
Email addresses could be used to target users with tailored phishing messages and scams.
This exposure demonstrates why we routinely encourage readers to avoid free VPN services, which tend to have subpar security and privacy standards. Ideally, a VPN service should keep no logs including IP addresses.
About UFO VPN
UFO VPN is a Hong Kong-based VPN provider that says it serves 20 million users on its website. It claims to have a zero log policy and “bank grade protection,” though that is arguably not the case.
The company offers both free and paid plans.
The focus of UFO VPN’s marketing is unblocking content. It promises access to blocked websites, apps, and region-locked streaming services like Netflix.
How and why we reported this exposure
Security researcher Bob Diachenko heads up Comparitech’s security research team to find and report incidents in which personal data has been exposed on the web. When we come across unsecured data, we immediately take steps to notify the owner so it can be secured as soon as possible.
We investigate data incidents like these to learn to whom the data belongs, who might be impacted, what information is exposed, and what consequences might come as a result. Once the data has been secured, we publish a report like this one to inform users who might be affected and raise awareness.
Our goal is to curb malicious access and abuse of personal data. We hope our report can raise cybersecurity awareness and minimize harm that might come to end users.
Previous data incident reports
Comparitech and Diachenko have teamed up to report on several data exposure incidents, including:
- French Civic Service exposes 1.4 million user records
- 42 million Iranian “Telegram” phone numbers and user IDs were breached
- Details of nearly 8 million UK online purchases leaked
- 250 million Microsoft customer support records were exposed online
- More than 260 million Facebook credentials were posted to a hacker forum
- Almost 3 billion email address leaked, many with corresponding passwords
- Detailed information on 188 million people was held in an unsecured database
- K12.com exposed 7 million student records
- MedicareSupplement.com made 5 million personal records publicly available
- Over 2.5 million CenturyLink customer records were leaked
- Choice Hotels leaks records of 700,000 customers