By Dave McKay | July 19, 2020
If it’s Free, You’re the Product
On the internet if something is free you have to ask yourself how they make money. Usually, it is by selling your data.
A Virtual Private Network (VPN) is usually a good thing to use. They can help to anonymize your on-line activity and prevent unwanted cyber-snooping when you’re using a public Wi-Fi.
Decent VPNs cost money. For a small monthly fee you get a fast, reliable, secure service. Free—or too cheap to be true—VPNs are a different kettle of fish entirely.
They’re slow, clunky, and do who knows what with your data. The data we’re talking about here is your identity and your web browsing records.
Seemingly, seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service.
Despite assurances to the contrary that entity most definitely logs user data and activity, but does nothing to secure nor safeguard it.
That much is plainly obvious because an Elasticsearch database has been discovered that is publicly-accessible, and crammed full of user logs and personal details, including plain-text passwords.
The silo contained streams of log entries as netizens connected to UFO’s service: this information included what appeared to be account passwords in plain text, VPN session secrets and tokens, IP addresses of users’ devices and the VPN servers they connected to, connection timestamps, location information, device characteristics and OS versions, and web domains from which ads were injected into the browsers of UFO’s free-tier users.
Source: The Register