A recent report by cybersecurity specialist Jeremiah Fowler revealed that a non-password-protected database exposed almost 360 million records related to a VPN. The records included email addresses, device information, and even the websites that users had visited. The investigation found that the records belonged to a VPN service provider named SuperVPN.
The most striking aspect of the report was the discovery that two applications with the same name, SuperVPN, existed on both the App Store and Google Play Store. These applications, which together had over 100 million downloads worldwide, had two different developers: SuperSoft Tech and Qingdao Baichuan Network Technology Co. Fowler contacted both companies regarding this data exposure, but received no response or comments from them.
The database also contained customer support emails from other VPN provider names such as Luna VPN, Storm VPN, Radar VPN, Rocket VPN, and Ghost VPN, not CyberGhost. Although it is unclear if the same company owns all the VPNs, there is a significant risk of data breaches for users of VPNs. With users using VPNs to protect their privacy and secure their data, a VPN’s data breach can lead to the leakage of sensitive information such as login credentials, IP addresses, browsing history, geolocation, and other sensitive user data.
Threat actors who gain access to this data can potentially conduct phishing attempts, spam messages, and other social engineering attacks. They can also find the geographic location and ISP providers of users and potentially conduct a Denial of Service (DoS) attack on the user. Therefore, it is recommended to use reliable VPN service providers and read their privacy policy, user agreement, and terms of service to understand what level of data is being logged and used.
Fowler also found a reference to a company named Changsha Leyou Baichuan Network Technology Co in the database, along with some notes in the Chinese Language, suggesting that Qingdao Leyou Hudong Network Technology Co owned these databases. However, both of these companies never confirmed if they are associated with each other or share the same developer.
The incident highlighted the importance for companies to respond to responsible disclosures. Fowler contacted both SuperSoft Tech and Qingdao Baichuan Network Technology Co., but received no response. It underscores the significance of adhering to best practices and the importance of timely response to responsible disclosures to prevent cyber threats.
In conclusion, the recent data exposure of SuperVPN raises serious concerns for VPN users. VPNs offer protection against cyber threats, but VPN providers must ensure that their user’s data is secure. Thus, using reliable VPN providers and reading their privacy, user agreements, and terms of service remains the best course of action for users to avoid data breaches. The recent incident serves as a reminder to all VPN service providers of their obligations to ensure user data security.