According to Cybersecurity Connect*, A non-password secured database containing over 360 million records was uncovered by cyber security researcher at vpnMentor, Jeremiah Fowler, who said the records related to a VPN data breach.
360,308,817 records were exposed, totaling 133 gigabytes of data. The types of data exposed included email addresses, original IP addresses, records of servers used, Unique App User ID numbers, UUID numbers, geolocation, device information, VPN version, internet connection type, operating system, refund requests and links to websites that users of the app had visited.
All the information above presents a major security issue, with the internet history of users being some of the most dangerous, providing a database of people to blackmail to any potential threat actor.
Fowler said the records almost all refer to a “SuperVPN”, which on further inspection, is a program that markets itself as a free VPN service.
“There are two (2) apps named SuperVPN available officially on both the Apple and Google application stores. According to the Google app store page, they have a combined 100 million downloads worldwide,” said Fowler. “Notably, the two apps named SuperVPN are listed under separate developers on both Google Play and Apple’s app store.“
Thomas Uhlemann, Security Specialist at ESET commented:
A VPN provider should normally do exactly as the name suggests: provide a private network – to keep private information from being spied upon or plainly stolen. Offering such services requires the provider to embody privacy and data security into each and every step and process. The foundation of this is collecting only as much data as is necessary for operation (and legal requirements) and protecting user data with sate-of-the-art means, such as encryption and robust access control. Users looking for a trustworthy VPN provider should always apply a little background check before making a choice of trust and ask themselves these questions:
- Which company provides the service and is there maybe a track record of breaches or vulnerabilities?
- From which country do they operate? As this implies local laws, such as in China or the USA, it might require the provider to share user data with law enforcement and other entities without a user notification. EU-based companies need to apply EU-GDPR restrictions and might be the better choice.
- Do they operate an own network of servers to route their user’s traffic or are they relying on another vendor? If another vendor is involved, it needs to be checked as well. If no information is provided on this subject, it might be safer to chose another vendor.
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 