vpnMentor found that seven free VPN providers claiming no-logs and maximum security were the opposite. Over 20 million users details were exposed.
According to their websites, every free VPN provides ‘military-grade security features and zero logs policies to reinforce its users’ information security’.
All are fronts for Dreamfii HK. They share a common Elasticsearch server located in China.
Over 1 billion records were exposed containing
- Activity logs
- PII (names, emails, home address)
- cleartext passwords
- Bitcoin payment information
- support messages
- personal device information
- tech specs
- account info
- direct PayPal API links
- and much more
The apps focus is on Android via Google Play. Although there are Windows, Mac and iOS versions.
The company denied that the breach had been serious. But as the blog from vpnMentor shows, the statements were clearly ‘incorrect’.
The breaches of trust were so severe that State actors could trace all web activity via IP to the owner. This opens the owners to potential blackmail as free VPN often access adult, illicit or illegal sites.
Users that upgraded to paid version were doubly screwed. The information included sensitive Paypal API links alongside the full names, emails, and addresses of users using this payment method. Those using cryptocurrency had email and other identifiers.
Free VPN Outcomes
Users of these services face
- Knowledge of their activities by nation-states resulting in arrest or persecution
- Phishing and fraud via highly targeted emails
- Blackmail, Sextortion and doxing
- Adding information to their dark web profiles increasing the potential for ID theft
vpnMentor has a list of the ten best paid VPNs here. These include GadgetGuy’s Australian recommendations of Private Internet Access and NordVPN. You may like to read why Free VPNs are like the Wild West (here).