Many activists and privacy advocates turn to virtual private networks to keep their internet activity away from prying eyes, but it appears that some VPN providers might have put their customers at risk. VPNMentor reports (via The Register) that sensitive user data from seven free Hong Kong VPN services, ostensibly with no-log policies, was exposed online. The leak reportedly included connection logs, addresses, payment info, plain text passwords and website activity.
All of the companies are ultimately white labels that rebranded a common provider’s service.
At least some of the information went offline, although it was visible in IoT search engine Shodan.io for 18 days.
One of the providers, UFO VPN, claimed that it couldn’t lock down its data quickly due to pandemic-related staff changes. It also maintained that the logs were only used for performance monitoring and were supposedly anonymized. CompariTech and VPNMentor say UFO’s claims are incorrect, though, pointing to sample data that mentions explicit names. As it stands, the zero-log claim is clearly untrue.
The incident underscores the problems with white label VPN services. It’s all too easy for some companies to rebrand services without being held to account for their claims. If you’re concerned about the privacy of your data, it may be better to stick to major brands.
It’s also particularly dangerous for Hong Kong. Critics of the government use VPNs precisely to avoid China’s surveillance and censorship. A data leak like this not only undermines the privacy of these VPNs, but risks making it easy for officials to crack down on dissidents. While it’s unclear how much of the info was made public, this could easily leave the VPN firms’ customers scrambling to switch providers and change login details.