© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

One of the biggest Android VPNs hacked? Data of 21 million users from 3 Android VPNs put for sale online

by CyberNews Team
11

A user on a popular hacker forum is selling three databases that purportedly contain user credentials and device data stolen from three different Android VPN services - SuperVPN, GeckoVPN, and ChatVPN - with 21 million user records being sold in total.

data of a VPn service being sold on a forum

The VPN services whose data has been allegedly exfiltrated by the hacker are SuperVPN, which is considered as one of the most popular (and dangerous) VPNs on Google Play with 100,000,000+ installs on the Play store, as well as GeckoVPN (1,000,000+ installs) and ChatVPN (50,000+ installs).

The forum user is selling deeply sensitive device data and login credentials – email addresses and randomly generated strings used as passwords – of more than 21 million VPN users for an undisclosed sum.

We reached out to SuperVPN, GeckoVPN, and ChatVPN and asked the providers if they could confirm that the leak was genuine but we have received no responses at the time of writing this report.

To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.

Looking to try a reputable VPN service? Take advantage of this VPN coupons:

What was leaked?

The author of the forum post is selling three archives, two of which allegedly contain a variety of data apparently collected by the providers from more than 21,000,000 SuperVPN, GeckoVPN, and ChatVPN users, including:

  • Email addresses
  • Usernames
  • Full names
  • Country names
  • Randomly generated password strings
  • Payment-related data
  • Premium member status and its expiration date

The forum post author is also offering potential buyers to sort the data by country. The random password strings might indicate that the VPN user accounts could be linked with their Google Play store accounts where the users downloaded their VPN apps from.

Example of VPN user data put for sale on the hacker forum:

leaked VPN user data

Based on the samples we saw from the second archive, it appears to contain user device information, including:

  • Device serial numbers
  • Phone types and manufacturers
  • Device IDs
  • Device IMSI numbers
leaked user data from a VPN

The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.

If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first.

The danger of using VPNs that log your data

If the data sold by the threat actor is genuine, it appears that the VPN providers in question are logging far more information about their users than stated in their Privacy Policies.

SuperVPN Privacy Policy

It is also worth pointing out that the attackers might have gained full remote access to the VPN servers.

With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more.

In theory, one of the main points of using a VPN is to encrypt your internet traffic and protect your privacy from the prying eyes of third parties, such as ISPs, repressive governments, or threat actors.

This is why, when choosing a VPN, users should always make sure that the VPN in question does not log their online activities or collect any other data about them. Otherwise, data stolen from VPNs that log their users’ information can be used against those users by threat actors.

This is particularly true for free VPNs, many of which claim they don’t log user data, but are time and again proven to collect and sell information about their users to third parties. That's not to say that all free VPNs are guilty of data logging, although reputable free VPNs are definitely in the minority.

And, as this leak has shown, stolen credentials and device data can be the dire cost of choosing the wrong VPN provider.

Thinking of trying out a legitimate VPN service? Read one of our VPN guides or reviews

VPN reviews

NordVPN review

Surfshark review

ProtonVPN review

Windscribe review

VPN comparisons

ExpressVPN vs NordVPN

NordVPN vs CyberGhost

Surfshark vs NordVPN

ExpressVPN vs PIA

Best VPN guides

Best VPNs for iPhone

Best VPNs for Torrenting

Best Roobet VPNs

Best VPNs for Netflix in 2021

Share
Tweet
Share
Share
Share

Comments

Yakin kasih emanuel daeli
Yakin kasih emanuel daeli
prefix 8 months ago
Nice
Charles Edward Hogue
Charles Edward Hogue
prefix 9 months ago
I have had SURFSHARK FOR ABOUT 9 MONTHS. THE ONLY PRBLEM I HAVE WITH SURFSHARK IS THAT I INTERFERESWITH MY SAFARI ACTIVITY. I HAVE TO DISCONNECT SURFSHARK TO SELECT ITEMS FROM MY SAFARI BWOWSER. THEN I HAVE TO CONNECT MY BROSER TO SURFSHARK AGAIN> WHAT A HEADACHE.
Robert Tucker
Robert Tucker
prefix 10 months ago
Hell hath no fury depending on things that are listed as free. The expectation of privacy can only be guaranteed by paying for it, due diligence, and the guarantee of no data collection storage of all the data of the user.

Robert Tucker BSc MSc Ph D
Fred
Fred
prefix 10 months ago
Hello, i used super vpn like 1day at max before uninstalling it after seeing that its not safe. It was few month ago. Only free version but i dont remember if they asked me credit card informations. Should i be seriously worried ?
Jari Turkia
Jari Turkia
prefix 10 months ago
Interesting, FastestVPN isn’t mentioned. I’m using unique email addreses for all services and I’m getting spam for the email given to them.
Aleks
Aleks
prefix 10 months ago
GeckoVPN actually has 1M+ installations, not 10 million as reported in the article
Mantas Sasnauskas
Mantas Sasnauskas
prefix 10 months ago
Hi Aleks, nice spot, you are correct – edited it.
Juni
Juni
prefix 10 months ago
The leaked data seems fake. Android device id and imsi require permission READ_PHONE_STATE, but from Google Play page, the app doesn’t even request it.
Mantas Sasnauskas
Mantas Sasnauskas
prefix 10 months ago
Hi Juni, READ_PHONE_STATE and READ_PRIVILEGED_PHONE_STATE is used to gather IMSI, IMEI numbers in most of the cases and is used in GeckoVPN at least. Checking static analysis on these apps reveals other potentially dangerous permissions such as REQUEST_INSTALL_PACKAGES.
Juni
Juni
prefix 10 months ago
As of SuperVPN, it seems most of the data are randomly generated, including username and password, most of device id and imsi are just random string (UUID).
Michelle Brown smith
Michelle Brown smith
prefix 9 months ago
I say no matter how far we go to protect or how much money we pay for protection, the bad guys are going to get you most personal information. For two years I was paying security across the board, and monitoring, ID protection.this company kept given me the same old info, so I decided to step my game up, I purchased a 5 star security company so I thought, debit my account same old info. I all ready new the whole time what information would come back after the scan, Because I paid 3.00 to learn what was going on in my device, and I have 4 Data Breaches an 46 exposures my life is for sale on the dark web. My Deceased Mother Maiden Name. Kinda crappie. And no one notify you. So it doesn’t matter how much you pay for security. At the end of the day some companies are making millions of dollars in sales of human beings personal information, and data from our devices. It should be a law against it . To sell some one’s info with or without concent. JUST ANOTHER FORM OF HUMAN TRAFFICKING
Leave a Reply

Your email address will not be published. Required fields are marked