VPN applications that are meant to secure users’ privacy online are now found to be exposing their sensitive information to third parties. Security experts from Cybernews stated that cybercriminals are selling over 21 million users’ records on a hacking forum. It was found that they are trading three databases that contain user credentials and device data from three Android Virtual Private Network (VPN) services – SuperVPN (with 100,000,000+ installs on Play Store), GeckoVPN (10,000,000+ installs), and ChatVPN (50,000+ installs).
The other database contains information including users’ email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, premium member status, and expiration date, along with users’ device serial numbers, phone types and manufacturers, device IDs, and device IMSI numbers.
“The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use,” Cybernews said.
Threats from Unsecured VPNs
The primary reason for using a VPN is to improve a user’s data privacy and security on the internet. VPNs provide a secure connection for users when joining another network online. It also changes your IP address and location, making your browsing activity safe and private from threat actors.
Cybernews claims that the three VPN providers are likely logging in for more information about their users than required. It also suspects that cybercriminals might have gained full remote access to the VPN servers.
“If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first. With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more,” Cybernews added.
SuperVPN – The Old Culprit
Various cybersecurity experts reported the issues with using SuperVPN.
So this is a mess, and a timely reminder of why trust in a VPN provider is so crucial. This level of logging isn’t what anyone expects when using a service designed to *improve* privacy, not to mention the fact they then leaked all the data. https://t.co/xSPUDjbJhb
— Troy Hunt (@troyhunt) February 28, 2021
The VPN has critical vulnerabilities and researchers deemed it dangerous. Google removed the SuperVPN app on April 7, 2020, from its Google Play Store. CISO MAG also advises against using free and unknown VPN applications. It’s a safe bet to use established and paid VPNs.