In 2021, cybercriminals hacked the systems of three free VPNs: SuperVPN, Gecko VPN, and Chat VPN. It resulted in a major data theft that put everyone who used any of VPN services at risk. At the time, the unnamed cybercriminal group made the data available for sale on a popular hacker marketplace.
Now, someone (presumably from the same group) has leaked 10 GB of that stolen user data for free on Telegram. The leaked files were made available for download on Telegram on May 7th, 2022. The cache exposes deeply personal information of over 21 million free VPN users, including their real names, home countries, and billing details.
So far, it’s unclear whether this leak contains all the stolen data from the 2021 hack. It’s possible the cybercriminals just released a small (relatively speaking) sample, as these three VPNs have collectively been downloaded over 100 million times.
A Potentially Devastating Data Breach
When they originally advertised the stolen data on the dark web, the cybercriminals explained they managed to access the free VPNs’ servers easily. Apparently, the server administrators didn’t bother to change their default database credentials… so these were easily guessable.
On top of their non-existent security, the VPNs collected and stored user data (despite promising user privacy) and didn’t even bother to encrypt it. Once the cybercriminals were in the system, they had unfettered access to view and copy sensitive user data. They then posted everything on Telegram for anyone to download for free.
Here’s the full list of stolen user data:
- Full name.
- Country names.
- Billing details.
- Email addresses.
- Randomly generated password strings (possibly hashed and salted).
- Premium member status and its validity period.
Cybercriminals can use the freely available information to target people with more sophisticated phishing attacks. These scams may be extremely specific and therefore harder to detect, since the stolen data includes people’s real names and countries. Criminals can also use this data to commit fraud or identity theft.
The inclusion of billing information is also extremely worrying as criminals can use this in a number of ways to steal people’s money. Also, while the stolen passwords appear to be randomly generated strings, these can be linked to users’ Google Store Accounts. It would be hard to achieve, but it might be possible to link each password to a specific user.
The Real Danger Behind Free VPNs
Besides the potential for scams and online attacks, one of the most concerning aspects of this whole event is the fact that it puts people’s lives at risk. People whose lives depend on online anonymity, like journalists and activists, probably won’t use free VPNs – but it’s possible they did.
The result may be dire for anyone who lives in a place where VPN use is outlawed or whose work makes them a target. It also underlines the reality of free VPNs. Despite promises of top-notch security and privacy, most free VPNs are unsafe. Not only did these VPNs collect and store user data, they didn’t even bother to encrypt it properly.
This isn’t the first time SuperVPN made headlines for putting its users at risk. In 2020, researchers warned the VPN allowed cybercriminals to intercept users’ connections and even redirect their connections to malicious servers. It’s also received poor reviews, citing security risks. Despite that, the app is still available on the Google Play Store with millions of downloads and a near-5-star rating.
People use VPNs to protect their security and provide them with more online privacy. A VPN that cannot do either is not just useless – it’s dangerous. Instead of keeping people’s information and online browsing out of reach, it delivers them straight into the clutches of cybercriminals and other malicious entities.
“VPNs that aren’t created with security in mind are worse than not having a proper VPN in place. They create a consolidation point for attackers to harvest multiple users’ data,” said Dave Cundiff, Vice President of Cyvatar, a security solutions company.
What to Do if You’ve Used These Free VPN Apps
Even if you’re unsure whether your data has been exposed, if you’ve used free VPN apps then you need to assume your data is at risk. Here are a few things you can do to improve your online security right away:
- Delete any free VPN apps from your devices, even if you can’t deactivate your accounts.
- Change your account passwords and make sure to use unique and strong passwords for every account – use a password manager if you need to.
- Activate two-factor authentication on all your accounts.
- Review your bank statements regularly to check for irregular transactions.
- Check if any of your emails were exposed in a data breach.
- Be on the lookout for any strange or unprovoked messages or emails that contain links, downloads, or use either congratulatory or urgent language.
- Install CyberGhost VPN to properly protect your connection from online attacks and increase your privacy online to avoid further complications.
Free VPNs are notoriously unsafe. Even though they claim to provide impressive services, most of these apps can’t follow through without funds. Running servers and maintaining security costs money. That’s why free VPNs often sell user data to make an income. They also can’t provide a large or well-maintained server network. Both those issues lead to increased security risks for free VPN users.