A popular free VPN service has accused of leaking over 360 million user data records online.
SuperVPN's breach includes a staggering amount of people's sensitive information, including email addresses, original IP address, geolocation records, unique users' identifiers, references to visited websites, and more.
With the service counting over 100 million downloads worldwide across the Google and Apple app stores, the expert who investigated the incident believes it should "serve as a wake-up call" for users about the need to choose a trustworthy VPN service instead.
"As more people around the world care about data privacy or try to bypass censorship they often use a VPN. This is a prime example of what data could be captured, shared with governments, or exposed in the event of a data breach," Jeremiah Fowler, the cybersecurity researcher who discovered and reported on the breached database, told TechRadar Pro.
Fowler discovered a publicly exposed database linked with the SuperVPN app containing 133 GB of data, including personal user information such as IP location, servers used and Unique App User ID numbers as well as details about user online activities, device model, operating system and refund requests.
After reaching out to the available email addresses associated with both the iOS and Android VPN app versions, the database was closed without any explanation.
The move is especially concerning as the SuperVPN app was, in fact, trending on Twitter "as recently as last week when Pakistan blocked social media," Fowler told us.
Another reason to worry comes by looking at the ownership behind SuperVPN. In his report for VPNMentor, Flower observed how the app is listed under separate developers on the two different app stores despite having exactly the same name and two very similar logos.
On Google Play, SuperVPN is credited to SuperSoft Tech. While, SuperVPN for iOS, iPad, and macOS is said to be developed by Qingdao Leyou Hudong Network Technology Co. Among the leaked files, Fowler could even find references to another company named Changsha Leyou Baichuan Network Technology Co.
"All appear to have connections to China, and notes inside the database were in the Chinese language," he confirmed, arguing that all indications point to Qingdao Leyou Hudong Network Technology Co. as the owner of the public database exposing SuperVPN's user data.
Neither company responded to any requests for comments, nor provided any information about their ownership and location on their websites - a move which, according to Fowler, raises "concerns about the transparency and security of these free VPN services."
This isn't the first time that SuperVPN has alarmed cybersecurity experts. In 2020, users were warned to delete this VPN as it was putting million of VPN users at risk of hacking. SuperVPN was also identified as dangerous in 2016, when an Australian researchers found it guilty of being one of the most malware-rigged VPN apps around.
How to avoid unsecure VPNs
Sadly, this incident is one of a series of instances that show the risks of using an unsecure VPN service to protect online data. That's especially troubling as internet shutdowns are on the rise and, subsequently, people in dire need of security and circumvention tools on a very limited budget.
"This incident serves as a wake-up call for anyone who uses a VPN to understand why choosing a trustworthy and reputable service is important for your privacy in more ways than just your internet activities," said Fowler.
Fowler suggests looking out for these red flags before signing up for a VPN service:
- Unclear wording around data collection practices. Users should always make sure to sign-up for a no-log VPN to ensure the provider cannot collect and sell their personal information to third parties;
- Lack of "Who We Are" / ”About Us” section on official website. It's vital for users, especially those in dire need to protect their privacy, to be able to determine the service they choose isn't linked with countries infamous for their surveillance or censorship activities;
- Lack of basic security features. Fowler especially recommends avoiding VPN services without DNS-leak protection or encryption that's not either 128-bit or 256-bit AES;
- Poor reviews. Users should take their time to scroll across other customers' reviews before downloading any kind of app, especially when it comes to a security service. It's very likely that other users have already discovered its vulnerabilities.
For those after a reliable free service, our favorite at the moment is PrivadoVPN. Elsewhere, some providers, including Surfshark, offer premium accounts for NGOs, activists and journalists living under restricted internet freedom.
It is also worth noting that many premium services are way far from being described as a secure VPN—SuperVPN included as it also sells paid subscriptions, in fact.
"The narrative is not limited to free VPN—it's about companies that do not care about privacy," Hide.me VPN CEO Sebastian Schaub told TechRadar Pro.
"If you have a Chinese player with zero trust records, no corporate history, no public leadership and suspicious looking apps, I'd call for greater oversight on how they are even able to participate in the marketplace. Apple and Google should enforce the disclosure of which data is being processed and stored, and then inform the users.
"I'd say it's a rather grim outlook—the malicious behavior continues and there's not much you can do about it until big corporations limit the visibility of shady apps."