A user on a popular hacker forum is selling three databases that purportedly contain user credentials and device data stolen from three different Android VPN services - SuperVPN, GeckoVPN, and ChatVPN - with 21 million user records being sold in total.
To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.
Looking to try a reputable VPN service? Take advantage of this VPN coupons:
What was leaked?
The author of the forum post is selling three archives, two of which allegedly contain a variety of data apparently collected by the providers from more than 21,000,000 SuperVPN, GeckoVPN, and ChatVPN users, including:
- Email addresses
- Full names
- Country names
- Randomly generated password strings
- Payment-related data
- Premium member status and its expiration date
The forum post author is also offering potential buyers to sort the data by country. The random password strings might indicate that the VPN user accounts could be linked with their Google Play store accounts where the users downloaded their VPN apps from.
Example of VPN user data put for sale on the hacker forum:
- These top VPN services can protect not only your phone, but also other devices
- Looking for a reliable hosting for your website? Check these best web hosting providers in 2021
- Malware and ransomware are no joke. A good antivirus is a must-have in the XXI century
Based on the samples we saw from the second archive, it appears to contain user device information, including:
- Device serial numbers
- Phone types and manufacturers
- Device IDs
- Device IMSI numbers
The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.
If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first.
The danger of using VPNs that log your data
If the data sold by the threat actor is genuine, it appears that the VPN providers in question are logging far more information about their users than stated in their Privacy Policies.
It is also worth pointing out that the attackers might have gained full remote access to the VPN servers.
With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more.
In theory, one of the main points of using a VPN is to encrypt your internet traffic and protect your privacy from the prying eyes of third parties, such as ISPs, repressive governments, or threat actors.
This is why, when choosing a VPN, users should always make sure that the VPN in question does not log their online activities or collect any other data about them. Otherwise, data stolen from VPNs that log their users’ information can be used against those users by threat actors.
This is particularly true for free VPNs, many of which claim they don’t log user data, but are time and again proven to collect and sell information about their users to third parties. That's not to say that all free VPNs are guilty of data logging, although reputable free VPNs are definitely in the minority.
And, as this leak has shown, stolen credentials and device data can be the dire cost of choosing the wrong VPN provider.