Data breach of free VPN providers expose info of millions of users

July 23, 2020
free vpn provider user data breach image1

A software that Is utilized to encrypt data is called a VPN or Virtual Private, as it travels back and forth outside your network. This software helps to provide an extra layer of security and privacy.

As Ironic as it is, there were reportedly a group of free VPN providers who had their 1.2 terabytes of user data exposed, this totals to 1 billion records. The private security sector, vpnMentor, who discovered the leak on July 5th, found the data on an unsecured server, which has included Personally Identifiable Information (PII); these include email and home addresses, IP Addresses and VPN account login credentials (username, password).

Aside from Personally Identifiable Information (PII) that were discovered, technical information of the devices was the VPNs that were installed was also found. This includes connection data logs, web traffic, and website visited, IP addresses of origin, ISP Server, current location, type of device, device identification, application version, Phone unit models, User’s network connection.

It was surprising to discover that the leak also divulges a storage internet activity log, which created a doubt to the providers that claim they’re not keeping any records from the online activities of their customers. This could potentially affect more than 20 million users.

The free providers that were affected on this leak are Rabbit VPN, FREE VPN, FAST VPN, Flash VPN, SUPER VPN, Secure VPN and UFO VPN. The common denominator on these 7 seven providers is that they are all Hong Kong-based services. As per the investigation, the exposed VPN in this leak shares the same developer based on the following conclusion:

  • All the providers share a common Elasticsearch server
  • All of them are hosted within the same assets
  • They all have one recipient for payments, Dreamfii HK Limited
  • At least three of them on the same asset share very identical branding on their respective websites

The private security sector reached out immediately to the providers involved upon discovering the leak and HongKong CERT to inform them about the leak on July 8th.

According to the researcher, they have found the server“completely open and accessible, exposing private user data for everyone to see.”


As per the private security firm, the VPN providers could have prevented this leak if they have taken necessary security measures by doing the following:

  • Securing their servers
  • Proper access rules
  • The system must require authentication if it is open to the Internet
  • Steer clear of saving sensitive information, or if data logging is required, they should have been encrypted with prominent security standards.


If you’re using one of the VPNs that were included in this leak, it would be best to switch to a more secure provider.

Precisely 10 days (July 15th) after vpnMentor has reached out to the affected VPN providers, they have independently verified that the database has been secured and cease in leaking user logs.

About the author

Leave a Reply