A Hong Kong-based UFO VPN - which claims a 'zero logs' policy, maintained a database without any password, exposing over 20 million user logs per day which consisted of 894 GB of data.
The logs reportedly included passwords, IP addresses, geographical location, connection timestamps, session tokens, device information and the OS used.
The exposure, discovered by Comparitech security's Bob Diachenko, was discovered after search engine Shodan.io indexed the server hosting the data. Diachenko discovered the exposed data four days later and notified UFO VPN. Two weeks later, he notified the hosting provider, and the next day - more than two weeks after UFO VPN was notified, the database was secured.
If bad actors managed to get their hands on the data before it was secured, it could pose several risks to UFO VPN users.
The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.
IP addresses could be used to discern users’ whereabouts and corroborate their online activity. VPNs are often used to hide users’ real locations and online activity.
The session secrets and tokens could be used to decrypt session data that an attacker might have captured. For example, if an attacker intercepted encrypted data being sent through the VPN on a compromised wi-fi network, they could conceivably decrypt that data with this information.
Email addresses could be used to target users with tailored phishing messages and scams. -Comparitech
The company told Comparitech in an email: "Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed," adding "We don’t collect any information for registering."
"In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked."
Comparitech disagrees, and believes that the exposed data was not anonymous.
UFO VPN says it has 20 million users, and claims to offer "bank grade protection" in addition to their "zero log" policy. It's focus is unblocking content such as region-locked streaming service Netflix, as well as blocked apps and websites.