Skip to main content

CYBER INSIGHTS: DATA BREACH - Free VPN Data Breach Exposed 360 Million

DAILY CYBER INSIGHTS: DATA BREACH - Why Using the Right VPN Matters!
By: Jeremiah Fowler - Cybersecurity Researcher

Published on 24th May 2023

Free VPN Data Breach Exposed 360 Million Records Online - Why Using the Right VPN Matters!

Cybersecurity security researcher Jeremiah Fowler discovered and reported to vpnMentor a non-password protected database containing over 360 million records related to a VPN data breach. The publicly exposed records contained email addresses, device information, and even references to sites that the user visited.

Nearly all of the records in the database mentioned references to SuperVPN, an application that advertises a free to download VPN service. There are two (2) apps named SuperVPN available officially on both the Apple and Google application stores. According to the Google app store page, they have a combined 100 million downloads worldwide.

After reviewing a limited sample of records, I sent a responsible disclosure about the exposure to all available email addresses associated with both apps. The database was subsequently closed although I never received any reply. This incident serves as a wake-up call for anyone who uses a VPN to understand why choosing a trustworthy and reputable service is important for your privacy in more ways than just your internet activities.

I observed many refund requests and paid-account details in the records, which makes sense since the Super VPN we assume was leaking offered paid subscription after a free trial. Notably, the two apps named SuperVPN are listed under separate developers on both Google Play and Apple’s app store. SuperVPN for iOS, iPad, and macOS are credited to developers Qingdao Leyou Hudong Network Technology Co., whereas the second app of the same name is developed by SuperSoft Tech. I also found references to a company named Changsha Leyou Baichuan Network Technology Co. within the database and mentions of Qingdao Leyou Hudong Network Technology Co.. All appear to have connections to China, and notes inside the database were in the Chinese language.

All indications point to Qingdao Leyou Hudong Network Technology Co. as the owner of the database and we cannot confirm if there is a connection to SuperSoft despite the many similarities. The logos of both companies are very similar, particularly the logos of SuperVPN for Mac and SuperVPN for other iOS devices. I reached out to both companies for further confirmation to determine if they are connected or share the same developer. However, I never received a reply or comment on my discovery. Neither company provides much information about their ownership or location on their websites, which has raised concerns about the transparency and security of these free VPN services.

What the leak exposed:
  • 360,308,817 total records exposed with a size of 133 GB.
  • The records contained sensitive information, including user email addresses, original IP addresses, geolocation, and records of servers used. Additionally, the records also contained what appeared to be secret keys, Unique App User ID numbers and UUID Numbers (a Universally Unique Identifier is a 36-character alphanumeric string that can be used to identify further information).
  • Additional information in the records included phone or device model, operating system, internet connection type, and VPN application version.
  • Refund requests from users who either purchased the product or were charged.
  • Links to websites that the app users visited could identify their activity and be a privacy threat to the users who expect a reasonable degree of security.

The same Super VPN’s customer support emails were also linked to Storm VPN, Luna VPN, Radar VPN, Rocket VPN and Ghost VPN (not to be confused with CyberGhost VPN). In addition, references to these VPN provider names were found inside the database. At this point, it is not possible to determine if these VPNs are owned by the same company, yet we can assume they are somehow related. According to the customer support page of the app developed by Qingdao Leyou Hudong Network Technology Co.: “SuperVPN keeps no logs which enable interference with your IP address, the moment or content of your data traffic. We make express reference to the fact that we do not record in logs communication contents or data regarding the accessed websites or the IP addresses”. However, this data exposure appears to contradict this privacy guarantee. It should be noted that the application permissions allow the VPN to access the device’s files, images, and other device information. Learn More /...

About Jeremiah Fowler - Cybersecurity researcher
Cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery.

Jeremiah finds and reports data breaches and vulnerabilities. He identifies real world examples of how exposed data can be a much bigger risk to personal privacy. Together with the vpnMentor team he has helped secure the personal data of millions of people from all over the world.

Jeremiah has over 10 years of experience in cyber security and has found some of the largest data breaches recorded in yearly summaries. After the company he was working for had a data breach of their own customers he became inspired to find out how data exposures happen. What started as digital treasure hunting quickly became more than a hobby. He quickly became a well known security researcher and thought leader frequently appearing in the news.

He has been a keynote speaker at multiple security conferences and has given lectures and webinars to start-ups and Fortune 100 companies on the topics of cyber security, privacy, and data protection. Jeremiah lives by the saying "Do what you love, and you will always love what you do" Learn More /...







Labels:
Location: Gibraltar

Comments

Post a Comment

Popular posts from this blog

CYBER BREACH: Data Breach Exposed Thousands of Pet Medical Records Including Owner Information

Tuesday, 5th December 2023 CYBER BREACH: Data Breach Exposed Thousands of Pet Medical Records Including Owner Information By Jeremiah Fowler - Website Planet  Syndicated By IainFraser.net/CYBER_Voice Daily Cyber Insights  Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 56,000 records, including pet medical reports, DNA tests, pedigree history and other potentially sensitive information. As a long-time cyber security researcher, this is one of the most interesting discoveries I have ever encountered and a first for me.  I recently discovered a non-password protected database that contained records of thousands of dogs from around the world and included the information of their human owners. The publicly exposed cloud storage database contained a total of 56,624 documents in .PDF, .png, and .jpg formats with a total size of 25 GB. Upon further investigation, the database appeared...
Post a Comment
Learn More »

CYBERSECURITY NEWS: ECSO Launches its latest ground-breaking initiative CYBERHive

28th November 2023  CYBERSECURITY NEWS: ECSO Launches its latest ground-breaking initiative CYBERHive  Syndicated By: Iain Fraser/ Cyber PR Wire via IainFRASER.net/ CyberPRWire ECSO is delighted to announce the launch of its new, ground-breaking initiative: Cyberhive EUROPE. Cyberhive is the first-ever European marketplace co-created with- and for the European cybersecurity ecosystem, and will offer global accessibility to all Europe-headquartered cybersecurity solution providers, while also being freely accessible to end-users worldwide. Through the Cyberhive, ECSO will connect market players, promote European-made products, and ultimately strengthen the European cybersecurity market as a whole. To learn more about the Cyberhive, read below.  The second Annual CISO Meetup, organised by ECSO, starts today! Over 150 CISOs are joining us in Florence from all over Europe to engage in high-level discussions on critical cybersecurity topics. Read more below. Learn More /... ...
Post a Comment
Learn More »

CYBER THREAT INTEL: AI - UK & US Spooks publish AI Development Guidance

Tuesday, 28th November 2023 CYBER THREAT INTEL: AI - UK & US Spooks publish AI Development Guidance Posted by: Iain Fraser - Cybersecurity Journalist Gibraltar via IainFraser.net/ Daily Cyber Insights CYBER THREAT INTEL: AI - UK & US Spooks publish AI Development Guidance The UK NCSC & US CISA have joint-published what they term as "security-focused guidance" for AI & ML developers and those who leverage AI/ML with their protocols and systems.  The Publication of Guidelines for Secure AI System Development (PDF),  apply to all types of AI/ML systems, regardless of whether built from wireframe up or added as a bolt-on on third-party resources, to address issues related to AI, cybersecurity, and critical infrastructure. Devised to be used in conjunction with existing Cybersecurity, Incident Response and Cyber Risk-Management protocols. The NCSC and CISA have said “Providers should implement security controls and mitigations where possible within their mode...
Post a Comment
Learn More »