According to their websites, every free VPN provides ‘military-grade security features and zero logs policies to reinforce its users’ information security’.
All are fronts for Dreamfii HK. They share a common Elasticsearch server located in China.
Over 1 billion records were exposed containing
PII (names, emails, home address)
Bitcoin payment information
personal device information
direct PayPal API links
and much more
The apps focus is on Android via Google Play. Although there are Windows, Mac and iOS versions.
The company denied that the breach had been serious. But as the blog from vpnMentor shows, the statements were clearly ‘incorrect’.
The breaches of trust were so severe that State actors could trace all web activity via IP to the owner. This opens the owners to potential blackmail as free VPN often access adult, illicit or illegal sites.
Users that upgraded to paid version were doubly screwed. The information included sensitive Paypal API links alongside the full names, emails, and addresses of users using this payment method. Those using cryptocurrency had email and other identifiers.
Free VPN Outcomes
Users of these services face
Knowledge of their activities by nation-states resulting in arrest or persecution
Phishing and fraud via highly targeted emails
Blackmail, Sextortion and doxing
Adding information to their dark web profiles increasing the potential for ID theft