25 million free VPN user records exposed


Free VPN software left more than 18GB of connection logs accessible to the public. Threat actors could exploit the database to identify and even locate its users.

The Cybernews team discovered an open database containing 18.5GB connection logs generated by the BeanVPN app.

ADVERTISEMENT

The dataset contained over 25 million records, including user device and Play Service IDs, internet protocol addresses (IPs), and connection timestamps, among other diagnostic information.

"The information found in this database could be used to de-anonymize BeanVPN's users and find their approximate location using geo-IP databases. The Play Service ID could also be used to find out the user's email address that they are signed in to their device with," said Aras Nazarovas, Cybernews security researcher.

The ElasticSearch instance our team discovered during a routine checkup is now closed. Cybernews repeatedly reached out to BeanVPN developer company IMSOFT for a comment but had not received a reply at the time of writing.

It appears that IMSOFT violated its own privacy policy that says they collect "only the minimal data required to operate a world-class VPN service at scale."

"We do not collect logs of your activity, including no logging of browsing history, traffic destination, data content, or DNS queries. We also never store connection logs, i.e., no logs of your IP address, your outgoing VPN IP address, connection timestamp, or session duration. We designed our systems not to have sensitive data about you; even when compelled, we cannot provide data that we do not possess," its privacy policy reads.

It further emphasized that the company is committed to protecting user information with "best-in-class physical, procedural, and technical security" to protect its offices and information storage facilities. However, publicly available information suggests that the company’s only office is in an apartment building in Bucharest, Romania.

The BeanVPN app was downloaded over 50,000 times from the Google Play Store and is not available on the App Store. The Beanvpn.com website is used to promote the company's other app – Telefly MTProto Proxy Servers for Telegram.

ADVERTISEMENT

Thousands of open databases

In its privacy policy, IMSOFT says that "no data security measures in the world can offer 100% protection." And that's partly true, as this is not the first VPN data leak we've witnessed.

In March 2021, the Cybernews team discovered the three databases containing the data of 21 million people, leaked by SuperVPN, GeckoVPN, and ChatVPN. Information for sale on the dark market included email addresses and passwords (hashed for the first two services and in plaintext for ChatVPN), users' full names, and information about country and payments.

It's also not the first time we've come across an open Elasticsearch instance. This is a popular search engine favored by enterprises dealing with large, constantly updated volumes of data.

Recently, the Cybernews team found a dataset thought to belong to UK law enforcement agencies with information on millions of vehicles accessible to the public, while job seekers in Italy and Eastern Europe were at risk because employment search engines left the ElasticSearch instances open to the public.

The Secureworks researchers recently found over 1,200 Elasticsearch datasets that have been wiped by threat actors who also left a ransom note for database owners. They've identified over 450 individual ransom demands, totaling over $280,000.

Similar activity is not unique to Elasticsearch. In 2020, a threat actor replaced over 1,000 unsecured database files on Elasticsearch, MongoDB, and other platforms with the word "meow."

Last year, Cybernews researchers found that more than 29,000 Elasticsearch, Apache Hadoop, and MongoDB databases worldwide were still publicly accessible, leaving close to 19,000 terabytes of data exposed to anyone, including threat actors.

Choose wisely

Free VPNs can allow you to surf the net anonymously, stay safe from threat actors, and access content that is restricted in your area. However, an ill-chosen VPN can also get you into a lot of trouble by selling your data to third parties or spamming you with intrusive ads.

Free VPNs might come with some kind of catch, including frustrating data limits, speed restrictions, lack of features, small server fleet, and generally shady behavior.

ADVERTISEMENT

To help you choose wisely, Cybernews has created a list of the best free VPN software for Windows, Mac, Android, iOS, Linux, and other platforms.

When choosing a VPN service, look into the provider's privacy policy, user reviews, features, bandwidth limits, and speed. Getting a free VPN is worthwhile if you wish to remain anonymous when using public Wi-Fi.