What happened?
In an another weird turn of story in Hong Kong after the new draconian law which was enforced in Hong Kong by China, user data from 7 free VPN providers was released in public. What this data consisted of was millions of User identities, Online activities and much more amounting approximately 1.2 (TB) Terra byte.

Why does it looks an amateurish behavior?
In the VPNMentor report it is mentioned “A Group of free VPN (Virtual Private Network) apps left their servers completely open and accessible, exposing private user data for anyone to see.” by the looks of it, anyone can come to a conclusion that how can these VPN providers who provided “no log policy.”(will discuss it below) left their servers open for everyone to see and that too after the recent law imposition of Chinese government. The data that they left opened was 1.2TB large. Such a huge data release for VPN’s who follow no log policy.

Who are these VPN providers.Who are the developers of these VPN services?
These providers are as follows:

  • Super VPN
  • Flash VPN
  • Secure VPN
  • Rabbit VPN

The VPNMentor report states, these VPN apps belonged to the same developer. What is more funny is that these VPN apps used the same server with each other and were hosted on the same asset. The client which received payment from these apps is also the same: Dreamfii HK Limited. The developer of these VPN services have headquarter in Hong Kong and the team had alerted Hong Kong’s Computer Emergency Response Team office (HKCERT).

What types of data were leaked in this mess.What impact can it potentially do on users?
The following data was leaked according to the report:

  • Name
  • Email address
  • Home address
  • Activity logs
  • passwords in clear text format
  • Bitcoin payment information
  • Support messages
  • personal device information
  • technical specifications
  • account information
  • direct Paypal API links

And the impact that it can do on the user whether in Hong Kong or not are:

  • Fraud
  • doxing
  • blackmail
  • extortion
  • viral attack
  • hacking
  • arrest (if in Hong Kong or other parts of china)
  • persecution (if in Hong Kong or other parts of china)

Whats next? What should the users do?
The database after exposure has now been secured 10 days after the incident. previous data are leaked out though.
What can the users of these services do you ask ? well for preliminary steps you can:

  • Remove all your personal identification data from the services database.
  • change the password and username for better security
  • change the payment links and any other payment modes information saved in the account of your VPN providers database.

And if you are thinking to change to a trusted VPN provider (you specially should consider it if you are in Hong Kong then search for better alternatives like ProtonVPN. VPN’s like ProtonVPN follow strict no log policy. Read this article regarding how ProtonVPN is fighting for people in Hong Kong here:

By Siddhant Pathak

Cyber security architect, 7+ years experience in cyber security industry, Tech savy, Nature lover, Bullet 350 rider

Have some thoughts? why not share with us here.