VPN provider who claimed it didn't keep logs gets hacked, logs released

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
53,782
Location
Ontario, Canada

Perhaps, the most ironic moments in the cybersecurity world occur when those who promise to protect your online privacy cannot guard their own turf. We’ve seen this happen from time to time with security firms getting hacked themselves. Another similar case has emerged recently when the database of a Hong Kong-based VPN provider called UFO VPN was exposed with more than 20 million users logs.

Discovered by researchers from Comparitech on July 1st, 2020; the exposure occurred due to the database hosted on an Elasticsearch cluster being left without any password.

Worth 894 GB, the data allegedly included plaintext passwords, IP addresses, timestamps of user connections, session tokens, information of the device, and OS being used along with geographical information in the form of tags.

The implications of this are pretty dangerous in that not only user accounts are at risk of being taken over by malicious actors but users can also be tracked online. Furthermore, using the session tokens, any encrypted data that someone gains access to could also be decrypted rendering the entire concept of encryption useless in this scenario.

This is actually a second article as a follow-up to another VPN provider, PureVPN, who claimed to not keep logs, yet provided them to the FBI:
 
Joined
Dec 7, 2008
Messages
4,246
Location
Virginia
200.gif
 
Joined
Jul 10, 2012
Messages
8,710
Location
South Carolina
People and their 'VPNs protect my privacy!' nonsense. Yeah, nope.

Oh come on now, any idiot, and I mean idiot in the strongest sense of the word, who chooses a VPN from a communist controlled country or territory deserves to be hacked. Trashing all VPN's is like saying engine failure is the oil and not the design of the engine.

Choose a real company, A company like VPN Secure is a stand up company based in Australia, you know, part of the "free" world?
 
Joined
Oct 16, 2010
Messages
341
Location
TN
Hmm, Purevpn is based in Hong Kong China. I didn't know that. I don't use vpn so it doesn't matter to me, but it surprised me they (Communist government) would turn over info to the FBI.
I do occasionally use the tor browser. I wonder who has their hooks in that...
 
Joined
Oct 28, 2002
Messages
50,970
Location
Everson WA - Pacific NW USA
Not that much different in my book than the big 3 credit reporting agencies (Equifax, etc) being hacked and ID's stolen. Trust NO ONE. "They" have won. Protect YOURSELF.
 
Joined
Jul 14, 2020
Messages
311
Location
DFW Metroplex
All VPN providers have log files of what is going on in their systems, there’s no question about that.

The question is “how easy is it for someone outside the company to acquire those logs, whether legally or illegally?

Acquisition through illegal means is dependent on their security and op-sec practices and standards, and that’s not something they will ever disclose to the public. You just have to decide who you think is more likely to be better defended against intrusions and attacks.

Acquisition through legal means is dependent upon the local, state/province, and national laws to which they are subject.

If they are located in a country with draconian control laws that mandate severe punishments for infractions (China comes to mind) or require persistent govt access to be able to operate, you can count on the logs being easily acquired for any reason.

If they are located in a country with a facade of business rights and purport to require court orders to access logs, acquisition is not necessarily easy but can be done nonetheless.

The bottom line is that noVPN is truly as safe as they’d like you to think for traffic that you don’t want anyone to know you are responsible for. There is a record of everything you do on the web somewhere out there, and if what you are doing is important enough to uncover for someone, they will acquire those logs.
 
Joined
Oct 16, 2010
Messages
341
Location
TN
Not that much different in my book than the big 3 credit reporting agencies (Equifax, etc) being hacked and ID's stolen. Trust NO ONE. "They" have won. Protect YOURSELF.

Yes, this really makes me angry. "They" collect all types of information about people, allow it to get stolen. Then, for a fee, they will attempt to mitigate the damage "for you". And we can't stop them from collecting the information in the first place.
And they want you to pay in order to view the information they have about you.
 
Joined
Apr 25, 2017
Messages
8,340
Location
Ohio
Choose a real company, A company like VPN Secure is a stand up company based in Australia, you know, part of the "free" world?
How do you know they don't keep logs ? I mean, you simply have to trust them....

All VPN providers have log files of what is going on in their systems, there’s no question about that.
They can enable logging of only what they need for their internal needs though. On the user side, they can selectively choose what to log vs what not to log and hopefully do it in a way that helps diagnostics but also protects privacy.
 
Joined
Jul 10, 2012
Messages
8,710
Location
South Carolina
Its a non issue for me, if your going to chose a VPN, chose a reputable company that is NOT based in a Communist Controlled country!
I think that is a pretty good criteria for step #1 in selecting a VPN!

*LOL*
 
Joined
Aug 2, 2014
Messages
1,475
Location
Gulf Coast, MS
VPN's can be hard to trust due to the closed source nature of it. In general it's easier to assume they all log unless proven otherwise. I know PIA was subpoenaed twice now and both times testified in court they do not log and nothing was handed over.

Even than they have changed ownership so times may have changed. My advice for any VPN is ignore any who operate out of a country which has mandatory data retention laws. Virtually all claim no logs but it's impossible to prove, even the ones who where publically audited no longer run the same software (due to updates).

I wouldn't trust audits long term unless they released a hash for the software and made it publically viewable which software (by hash) was running currently on their networks. Several know providers have most likely be back doored as well (no tin foil hats) but anything considered private has always been the target of the NSA or other foreign intelligences.
 
Joined
Jul 10, 2012
Messages
8,710
Location
South Carolina
Yes, this really makes me angry. "They" collect all types of information about people, allow it to get stolen. Then, for a fee, they will attempt to mitigate the damage "for you". And we can't stop them from collecting the information in the first place.
And they want you to pay in order to view the information they have about you.

Its very easy now to lock your credit on all 4 major agencies. Its all free, bottom line, like everything else, the vast majority of Americans are too lazy to do it. Its fact, even though its free, only about 20% of Americans lock their credit.

(ps you can also view all 3 major credit agencies reports on you, every year, for free)

As far as VPNs, same deal, if your a criminal I doubt a VPN will help you, but if your an average law abiding American and just do not want your ISP selling your and that of your family, private information to the highest bidder in the world, then a VPN IS EFFECTIVE.

People will always find an excuse to be a victim and then complain about it. Take charge of your lives, dont count on a politician to do it for you. Good god ... :eek:)
 
Last edited:
Joined
Oct 16, 2010
Messages
341
Location
TN
All of my credit bureaus have been locked for years. That didn't stop Experian from allowing my information to get hacked. And then offering to "protect" my information for a fee.
So, how do you keep yourself from being a victim from credit bureaus?
 
Joined
Oct 28, 2002
Messages
50,970
Location
Everson WA - Pacific NW USA
All of my credit bureaus have been locked for years. That didn't stop Experian from allowing my information to get hacked. And then offering to "protect" my information for a fee.
So, how do you keep yourself from being a victim from credit bureaus?
This is a very important distinction. Yes locking is free, but their other "services" cost money. I have no problem with that - I just have a not so unreasonable expectation that they control the data, my data, your data - and am not expecting the gov to "fix" the mess.
 
Joined
Jul 10, 2012
Messages
8,710
Location
South Carolina
The hacks dont matter if you lock your credit, no one can take out loans in your name. Isnt that the reason anyone cares?
BTW, the above should be the ONLY reason, security from fraud.

As far as hacks, dont even think about it. Your friends in China who you buy all your stuff from to support the communist government over there, already has hacked most Americans SS numbers, same with the Russians.

Like anything, Americans will always whine but take action? Nope and the proof is only about 20% bother with all the FREE tools available to them through the major credit agencies.
 
Joined
Oct 16, 2010
Messages
341
Location
TN
The hacks dont matter if you lock your credit, no one can take out loans in your name.


As far as hacks, dont even think about it. Your friends in China who you buy all your stuff from to support the communist government over there, already has hacked most Americans SS numbers, same with the Russians.

Like anything, Americans will always whine but take action? Nope and the proof is only about 20% bother with all the FREE tools available to them through the major credit agencies.


When a credit bureau gets hacked, thieves get your name, address, social security number and possibly more information. I'm not worried about loans. I feel that if bureaus are allowed to collect this information against my wishes they should at least safeguard it.
 
Joined
Jul 10, 2012
Messages
8,710
Location
South Carolina
When a credit bureau gets hacked, thieves get your name, address, social security number and possibly more information. I'm not worried about loans. I feel that if bureaus are allowed to collect this information against my wishes they should at least safeguard it.

So if you will, please tell me what they will do with your SS#, name, address, ect
IF that is all you are worried about, then why do you care? (please answer if you have an answer, same to Pablo above)


As far as credit bureaus collecting your information, the only reason that information is there is because you went to other people to borrow money for stuff you wanted to buy. IF you didnt borrow money, they would have no information on you.
 
Last edited:
Top