Detailed credentials for more than 21 million mobile VPN app users were swiped and advertised for sale online last week, offered by a cyber thief who allegedly stole user data collected by the VPN apps themselves.
The data includes email addresses, randomly generated password strings, payment information, and device IDs belonging to users of three VPN apps—SuperVPN, GeckoVPN, and ChatVPN.
The attacks, which have not been confirmed by the VPN developers, represent the most recent privacy broadsides against the VPN industry. Two similar blunders have been revealed to the public since 2019, including one massive data leak that exposed several VPN apps’ empty promises to collect “no logs” of their users’ activity. In that data leak, not only did the VPN providers fail to live up to their words, but they also hoovered up additional data, including users’ email addresses, clear text passwords, IP addresses, home addresses, phone models, and device IDs.
For the average consumer, then, the privacy pitfalls begin to paint an all-too-familiar portrait: Users continue to feel alone when managing their online privacy, even when they rely on tools meant to enhance that privacy.
Cybersecurity researcher Troy Hunt, who wrote about the recent data leak on Twitter, called the entire issue “a mess, and a timely reminder why trust in a VPN provider is so crucial.”
He continued: “This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data.”
The data leak of SuperVPN, GeckoVPN, and ChatVPN
In late February, a user on a popular hacking forum claimed that they’d stolen account information and credentials belonging to the users of three, separate VPNs apps available on the Google Play store for Android: SuperVPN, GeckoVPN, and ChatVPN.
The three apps vary wildly in popularity. According to Google Play’s count, ChatVPN has earned more than 50,000 installs, GeckoVPN has earned more than 10 million installs, and SuperVPN weighs in as one of the most popular free VPN apps for Android today, with more than 100 million installs to its name.
Despite SuperVPN’s popularity, it is also one of the most harshly reviewed VPN apps for Android devices. Last April, a writer for Tom’s Guide found critical vulnerabilities in the app that so worried him that the review’s headline directed current users to: “Delete it now.” And just one month later, a reviewer at TechRadarPro said that SuperVPN had a “worthless privacy policy” that was cobbled together from other companies’ privacy policies and which directly contradicted itself.
Not more than one year later, that privacy policy has again been thrown into the spotlight with a data leak that calls into question just what types of information the app was actually collecting.
According to the thief who pilfered the information from SuperVPN, GeckoVPN, and ChatVPN, the data for sale includes email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, and a user’s “Premium” status and the corresponding expiration date. Following the forum post, the tech outlet CyberNews also discovered that the stolen data included device serial numbers, phone type and manufacturer information, device IDs, and device IMSI numbers.
According to CyberNews, the data was taken from “publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.”
src: Malwarebytes
