A popular free VPN app downloaded hundreds of millions of times on iOS and Android has suffered another data leak exposing a staggering number of user records.
Security researcher Jeremiah Fowler recently discovered a 133 GB treasure trove containing over 360 million records of sensitive information.
The affected cross-platform VPN app SuperVPN has over 100 million downloads across Google Play Store, Apple App Store, and other markets.
The breach revealed that SuperVPN stored logs despite its “no logs policy,” raising concerns about similar free VPNs.
Free VPN data leak exposed identifiable user information
The VPN data breach exposed information that could identify users, such as their original IP addresses, email addresses, and geolocation information.
Additionally, it exposed secret keys, app user IDs, UUIDs, device models, operating system information, internet connection type, visited websites, app version, paid account details, and refund requests.
The leaked information could also expose users’ online activities, putting them at risk of spying, hacking, or even prosecution.
According to the researcher, the Chinese government “has been reported to take action against individuals who use VPNs to access restricted content.”
“As more people around the world care about data privacy or try to bypass censorship, they often use a VPN,” Fowler wrote in a blog post on vpnMentor. “This is a prime example of what data could be captured, shared with governments, or exposed in the event of a data breach.”
Increased privacy concerns have led to the proliferation of unreliable free VPN services promising state-of-the-art privacy and security features but failing to meet basic security standards.
SuperVPN has a long history of insecurity
In May 2022, SuperVPN was listed alongside ChatVPN and GeckoVPN in another VPN data leak that exposed 21 million user records.
In April 2022, Google removed SuperVPN after discovering vulnerabilities that could enable man-in-the-middle (MITM) attacks, redirecting users to malicious servers, and exposing messages between the user and the VPN provider.
VPNPro also found that the SuperVPN Free VPN Client app could expose users’ credit card details, putting them at risk of online fraud.
In 2016, Australian researchers listed SuperVPN, which had only 10,000 downloads, as malware-rigged and advised users to delete the app.
Free VPN app cloaked in mystery
Fowler noticed many confusing details about the Super VPN app. He found that despite having similar logos on Android and iOS, the app was listed as developed by two entities.
On Google Play Store, SuperVPN was credited to SuperSoft Tech, while Qingdao Leyou Hudong Network Technology Co. developed the iOS, iPad, and macOS apps. The researcher identified another company Changsha Leyou Baichuan Network Technology Co., referenced in the leaked data.
Fowler contacted the developer via the email address listed on the iOS app, and the database was closed without any further correspondence.
The deafening silence the researcher encountered after reporting the data leak raised serious “concerns about the transparency and security of these free VPN services,” he said.
The researcher also noted that the companies do not provide “much information about their ownership or location on their websites.”
The data leak could also indicate a systemic problem since Super VPN’s customer support emails were linked to Storm VPN, Luna VPN, Radar VPN, Rocket VPN, and Ghost VPN.
However, he concluded that the free VPN app had “connections to China,” given the database notes were in Chinese. He also suggested that the leaked database belonged to Qingdao Leyou Hudong Network Technology Co.
Be careful when choosing a VPN app
The researcher stated that the data leak underscored the need for users to “understand why choosing a trustworthy and reputable service is important for your privacy in more ways than just your internet activities.”
Fowler highlighted various red flags users should identify when choosing virtual private networks. Such indicators include confusing data collection policies, unclear ownership, poor reviews, and the lack of standard security measures like encryption.
For example, in 2020, researchers discovered that SuperVPN sent data over an insecure HTTP connection, putting users at risk of MiTM attacks.
Similarly, users should be cautious when using a VPN app developed by entities in an authoritarian mass surveillance state with an iron grip on the country’s internet.
“If a VPN app has no dedicated website or no information on who the developers are or this information seems to be hidden, it is a potential risk,” he noted, adding, “Where the VPN is located can also be a risk.”
Fowler clarified that the data leak did not imply any wrongdoing by the listed entities but advised users to take precautions when picking VPN services.
“Unfortunately, the misconception that using a VPN provides privacy and is secure is quite prevalent,” Dror Liwer, co-founder of Coro, concluded. “Not all VPNs are created equal, and simply downloading an app assuming its developer adheres to strict data governance is not good practice.”