Free Chinese VPN exposed data from over a million users

Data leak
(Image credit: Shutterstock/dalebor)

Cybersecurity researchers have discovered unencrypted data of about a million users of Quickfox, a free virtual private network (VPN) service primarily used to access Chinese sites from outside of mainland China.

Commenting on the find, WizCase says that the data exposed a variety of personally identifiable information (PII) of the users of the service, including their names, phone numbers, and more.

“There was no need for a password or login credentials to see this information, and the data was not encrypted. Based on the records exposed, our team estimates that the breach affected at least a million Quickfox users,” writes WizCase.

TechRadar needs yo...

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The security researchers claim that they tried bringing the leak to the attention of Quickfox, but the free VPN provider hasn’t yet responded to their hails.

Overzealous collection

The data was discovered through a misconfiguration in Quickfox’s ElasticSearch server thanks to incomplete ELK stack security. 

The researchers explain that ELK (Elasticsearch, Logstash, and Kibana) are three open source applications that help streamline searches through large files, such as the logs of an online service like Quickfox.

“Quickfox had set up access restrictions from Kibana, but had not set up the same security measures for their Elasticsearch server. This means that anyone with a browser and an internet connection could access Quickfox logs and extract sensitive information on Quickfox users,” explained WizCase.

The total leaked data was made up of over 500 million records and totaled over 100GB. About a million of these records had PII of users, including MD5 hashed passwords, which WizCase claims can’t withstand modern password crackers.

Worryingly however, the leaked data didn’t just contain the IP address assigned to the user, but also the user’s original IP address from which they connected to the VPN service. WizCase was also surprised that the service collects data about the other software installed on the user’s device.

“It’s unclear why the VPN was collecting this data, as it is unnecessary for its process and it is not standard practice seen with other VPN services. We could not find Quickfox’s terms of use or privacy policy to confirm whether or not users were aware of the information that Quickfox is extracting,” WizCase observes.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.