Free VPN software left more than 18GB of connection logs accessible to the public. Threat actors could exploit the database to identify and even locate its users.
The Cybernews team discovered an open database containing 18.5GB connection logs generated by the BeanVPN app.
The dataset contained over 25 million records, including user device and Play Service IDs, internet protocol addresses (IPs), and connection timestamps, among other diagnostic information.
"The information found in this database could be used to de-anonymize BeanVPN's users and find their approximate location using geo-IP databases. The Play Service ID could also be used to find out the user's email address that they are signed in to their device with," said Aras Nazarovas, Cybernews security researcher.
The ElasticSearch instance our team discovered during a routine checkup is now closed. Cybernews repeatedly reached out to BeanVPN developer company IMSOFT for a comment but had not received a reply at the time of writing.
It further emphasized that the company is committed to protecting user information with "best-in-class physical, procedural, and technical security" to protect its offices and information storage facilities. However, publicly available information suggests that the company’s only office is in an apartment building in Bucharest, Romania.
The BeanVPN app was downloaded over 50,000 times from the Google Play Store and is not available on the App Store. The Beanvpn.com website is used to promote the company's other app – Telefly MTProto Proxy Servers for Telegram.
Thousands of open databases
In March 2021, the Cybernews team discovered the three databases containing the data of 21 million people, leaked by SuperVPN, GeckoVPN, and ChatVPN. Information for sale on the dark market included email addresses and passwords (hashed for the first two services and in plaintext for ChatVPN), users' full names, and information about country and payments.
It's also not the first time we've come across an open Elasticsearch instance. This is a popular search engine favored by enterprises dealing with large, constantly updated volumes of data.
Recently, the Cybernews team found a dataset thought to belong to UK law enforcement agencies with information on millions of vehicles accessible to the public, while job seekers in Italy and Eastern Europe were at risk because employment search engines left the ElasticSearch instances open to the public.
The Secureworks researchers recently found over 1,200 Elasticsearch datasets that have been wiped by threat actors who also left a ransom note for database owners. They've identified over 450 individual ransom demands, totaling over $280,000.
Similar activity is not unique to Elasticsearch. In 2020, a threat actor replaced over 1,000 unsecured database files on Elasticsearch, MongoDB, and other platforms with the word "meow."
Last year, Cybernews researchers found that more than 29,000 Elasticsearch, Apache Hadoop, and MongoDB databases worldwide were still publicly accessible, leaving close to 19,000 terabytes of data exposed to anyone, including threat actors.
Free VPNs can allow you to surf the net anonymously, stay safe from threat actors, and access content that is restricted in your area. However, an ill-chosen VPN can also get you into a lot of trouble by selling your data to third parties or spamming you with intrusive ads.
Free VPNs might come with some kind of catch, including frustrating data limits, speed restrictions, lack of features, small server fleet, and generally shady behavior.
To help you choose wisely, Cybernews has created a list of the best free VPN software for Windows, Mac, Android, iOS, Linux, and other platforms.
More from Cybernews:
Subscribe to our newsletter