VPN with 'strict no-logs policy' exposed millions of user log files including account passwords
An unprotected database belonging to the VPN service UFO VPN was exposed online for more than two weeks. Contained within the database were more than 20 million logs including user passwords stored in plain text.
User of both UFO VPN free and paid services are affected by the data breach which was discovered by the security research team at Comparitech. Despite the Hong Kong-based VPN provider claiming to have a "strict no-logs policy" and that any data collected is anonymized, Comparitech says that "based on the contents of the database, users' information does not appear to be anonymous at all".
Security researchers made the discovery on July 1, 2020, and team leader Bob Diachenko immediately notified UFO VPN. It took a full two weeks for the company to close down the exposed database, blaming the delay on the coronavirus pandemic:
Due to personnel changes caused by COVID-19, we've not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed.
It seems that the server hosting the data was first indexed by search engine Shodan.io on June 27, meaning that data was exposed for almost three weeks. It is not known if any malicious actors accessed the data while it was available. Comparitech says:
It’s not clear how many users are affected, but our findings suggest that potentially all users who connected to UFO VPN at the time of exposure could be compromised. UFO VPN claims to have 20 million users on its website, and the database exposed more than 20 million logs per day.
In all, 894GB of data was exposed, and the API access records and user logs included:
- Account passwords in plain text
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
Users of the services are advised to change their passwords immediately.