A group of free VPN (virtual private network) apps left their server completely open and accessible,
exposing private user data for anyone to see. This lack of basic security measures in an essential
part of a cybersecurity product is not just shocking. It also shows a total disregard for standard
VPN practices that put their users at risk.
The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.
Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record
any user activity on their respective apps. However, we found multiple instances of internet activity
logs on their shared server. This was in addition to the PII data, which included email addresses,
clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical
The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labelled for other companies.
According to their respective websites, every VPN provides military-grade security features and zero
logs policies to reinforce their users’ information security. However, this is contrary to what we
found during our research.
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly
resolved. But rare are these times. Most often, we need days of thorough investigation before we
understand what’s at stake or who’s exposing the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to
publish accurate and trustworthy reports, ensuring everybody who reads them understands their
We quickly established that the VPNs using the exposed database and server most likely shared a
common developer and owner.
Some of the VPN package names also appear in the URL for the apps on Google Play, while others may be for Windows or Mac versions of the same app.
Example of Data Entries
Throughout our investigation, the exposed server was still live, with recent entries included in the logs.
The server’s data evidently belongs to the systems and users of UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, and RabbitVPN. In most cases, the data entries we found were not limited to just one VPN, but instead were related to all of them.
Clear Text Passwords
We found logs that contained – in clear text – the email address of users and their passwords for account registration, password change requests, and failed login attempts.
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data. Our ethical security research team has discovered and disclosed some of the most impactful data leaks in recent years. This has included an enormous data leak exposing credit cards, government IDs, and more belonging to millions of US citizens. We also revealed that a popular online learning platform compromised the privacy and security of people across the globe. You may also want to read our VPN Leak Report and Data Privacy Stats Report.