Free VPN exposes the data of one million users
Personal data of about one million Quickfox VPN users were exposed on the internet, from a server without the proper security settings. Names, phone numbers, emails and other user-delivered information could be viewed by anyone, an aspect that would be bad enough and still goes along with the fact that the free platform has most of its user base in China , where it is used to circumvent local internet restrictions and access sites considered to be banned.
The alert was made by WizCase, a company specializing in cybersecurity, which found the information on an Elastic Search server. The infrastructure was accessible without the need for login and password, while the data itself was directly available, without any type of encryption applied, indicating the absence of proper settings by the platform administrators.
In total, there were more than 500 GB of data and 100 millions of records — multiple user entries led the security company to an estimated one million people affected. Passwords were also part of the volume, but were in
hash MD5 format, providing some protection, but according to WizCase, unable to resist read attempts by modern software used by criminals and government agencies to break encryptions of this type.
The specialists also draw attention to the fact that, among the records, are also the IPs assigned to each VPN user, as well as the original addresses used for access. Again, when talking about a service used to circumvent government restrictions, such exposure creates a real danger of persecution for users, as the very cataloging of such information by the platform can be considered a breach of trust. Another hard record, included in the volume, is related to lists of software installed on users’ machines for update purposes.
Sample of leaked data from VPN Quickfox, with the right to personal information of users, access IPs and even lists of software installed on the machines (Image: Playback/Wizcase)
Those responsible for the discovery go further, pointing out that this type of storage is not even necessary. This is not a legal imposition or a common security practice, quite the opposite. WizCase also points out that there is no mention of this type of registration in the VPN terms of use, which leads to thinking that users may not be aware of such a situation. In addition to Chinese, the leak affects individuals in the United States, Japan, Indonesia and Kazakhstan, who appear as the majority of the exposed volume.
Quickfox did not respond to specialist contacts, while their report it is not clear whether the server remains unprotected at the time this report is written. Because of this, it is also not possible to measure whether the database was viewed or downloaded by third parties, especially malicious individuals who may use such information to apply scams or carry out attacks.
According to researchers, the ideal is that users pay attention to the terms of use of VPN services and be aware of the type of information requested during registration. It’s also worth researching trustworthy services and paying attention to messages or emails that might be fraudulent; this is especially true for Quickfox users who may now be targeted by criminals looking for new intrusions or financial and personal information.
Source: Wizcase
