Sign up today for an exclusive discount along with our 30-day GUARANTEE — Love us or leave, with your money back! Click here to become a part of our growing community and learn how to stop gambling with your investments. We will teach you to BE THE HOUSE — Not the Gambler!

Click here to see some testimonials from our members!

“Zero Logs” VPN Company Exposes Millions Of User Logs

Courtesy of ZeroHedge View original post here.

A Hong Kong-based UFO VPN – which claims a ‘zero logs’ policy, maintained a database without any password, exposing over 20 million user logs per day which consisted of 894 GB of data.

The logs reportedly included passwords, IP addresses, geographical location, connection timestamps, session tokens, device information and the OS used.

This is in stark contrast to UFO VPN’s stated privacy policy that “We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services.”

The exposure, discovered by Comparitech security‘s Bob Diachenko, was discovered after search engine Shodan.io indexed the server hosting the data. Diachenko discovered the exposed data four days later and notified UFO VPN. Two weeks later, he notified the hosting provider, and the next day – more than two weeks after UFO VPN was notified, the database was secured.

If bad actors managed to get their hands on the data before it was secured, it could pose several risks to UFO VPN users.

The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.

IP addresses could be used to discern users’ whereabouts and corroborate their online activity. VPNs are often used to hide users’ real locations and online activity.

The session secrets and tokens could be used to decrypt session data that an attacker might have captured. For example, if an attacker intercepted encrypted data being sent through the VPN on a compromised wi-fi network, they could conceivably decrypt that data with this information.

Email addresses could be used to target users with tailored phishing messages and scams. -Comparitech

The company told Comparitech in an email: “Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed,” adding “We don’t collect any information for registering.”

“In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.”

Comparitech disagrees, and believes that the exposed data was not anonymous.

UFO VPN says it has 20 million users, and claims to offer “bank grade protection” in addition to their “zero log” policy. It’s focus is unblocking content such as region-locked streaming service Netflix, as well as blocked apps and websites.


Do you know someone who would benefit from this information? We can send your friend a strictly confidential, one-time email telling them about this information. Your privacy and your friend's privacy is your business... no spam! Click here and tell a friend!





You must be logged in to make a comment.
You can sign up for a membership or get a FREE Daily News membership or log in

Sign up today for an exclusive discount along with our 30-day GUARANTEE — Love us or leave, with your money back! Click here to become a part of our growing community and learn how to stop gambling with your investments. We will teach you to BE THE HOUSE — Not the Gambler!

Click here to see some testimonials from our members!