Seven No-Logging VPN Providers Publicly Exposed Over a Terabyte of Logs

Shaun Nichols, the Register:

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.

This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to stumble upon.

It all came to light this week after Comparitech’s Bob Diachenko spotted 894GB of records in an unsecured Elasticsearch cluster that belonged to UFO VPN.

An un-bylined report from vpnMentor dug deeper:

The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.

Each of these VPNs claims that their services are “no-log” VPNs, which means that they don’t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.

The VPNs affected are UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all of which appear to be connected by a common app developer and white-labeled for other companies.

Let’s set aside the logging story for now — Dreamfii HK, the creator of all of these VPN services, denies that the logs are exactly as described and claims that their presence does not undermine its claim that these services do not log users’ activity. I want to focus on this business of white labelling, as it is rampant in the VPN world.

There are so many companies that promote VPN reselling as a get-rich-quick business that it makes it hard to trust any provider. NordVPN, for example, is a well-regarded service that resells its infrastructure to many other brands — BullGuard is one such customer, according to Trusted Reviews, but I cannot find any acknowledgement of this arrangement other than a 2018 press release. There is no instance that I can see of NordVPN in BullGuard’s marketing materials and other customer-facing pages.

In a June report, Katie Kasunic of vpnMentor found seven companies that own dozens of VPNs between them, usually only acknowledging their ties in legal documents or press releases. However, Kasunic does not state anywhere that NordVPN offers its own white label service, even as vpnMentor heavily promotes and recommends it.

This kind of reminds me of the food supply chain. I don’t know if you’ve ever flipped through the recalls issued by Health Canada, the FDA, or your local equivalent, but it’s an educational experience. You’ll often see entries, like this one for salads or this one for margarine, with lists of several ostensibly competing brands contaminated with the same stuff from the same plant.

There is nothing inherently wrong with white labelled goods and services, but I do think their use is inadequately disclosed. It is detrimental to our understanding of what we are buying and makes it hard to compare different products.