I wish we didn’t need VPNs, but they can be a necessary part of a balanced data security breakfast. ISPs, governments, advertisers and even individuals keen on knowing what you do online can find ways to easily track your browsing data. VPNs make doing so harder (but hardly impossible) by obfuscating your connection through a proxy server. They can’t hide you from everyone, but they’re a valuable privacy tool — as long as they aren’t the ones responsible for leaking your data.
Cybersecurity firm Comparitech reports UFO VPN’s user information database has been leaking data daily due to poor security. The firm reported the leak to UFO VPN on July 1st. Comparitech says the database contains:
- Account passwords
- VPN session secrets and tokens
- IP addresses of both user devices and the VPN servers they connected to
- Connection timestamps
- Device and OS characteristics
- URLs that appear to be domains from which advertisements are injected into free users’ web browsers
Much of this data is stored in easily read plaintext files, yet the database wasn’t secured or encrypted. It didn’t even require a password for access. The number of affected accounts is unknown, but it’s possible all UFO VPN users had at least some of their data leaked; the database exposed over 20 million user logs per day. Worse, UFO VPN shared the same codebase and setup as a number of other generically named Android VPN apps — some with up to one million individual installations. These additional apps, as reported by Android Police, include:
What to do if your info was leaked
If you have used any of these VPNs, change your account information at the very minimum. Update any other accounts that use the same passwords — get unique passwords, already — and turn on two-factor authentication for any services you can. Use Have I Been Pwned to check for any further compromises and update your passwords as necessary.
I don’t blame anyone for leaving UFO VPN after this debacle. This leak puts users at risk and undermines trust in them and, frankly, the VPN market as a whole. Plenty of VPNs make the same “no-log” promise as UFO VPN, and it’s now entirely justified to wonder if they’re telling the truth. More than ever, it’s worth taking the time to find a VPN you trust.
But don’t take this to mean VPN’s are a lost cause. As I said earlier, they are one part of a good data security strategy. For the best level of security possible, you need more than just a VPN — even a trustworthy one.
Obviously we’re big fans of encrypted password managers, but you can boost privacy with the right web browser and/or browser add-ons, too. You can also enable DNS over HTTPS if your browser or device’s operating system so allows, as that also helps hide your web traffic from peering outsiders. While no system is foolproof, a well-considered mix of these strategies can make recovering from data breaches much easier.