Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Security Databases Privacy

VPN With 'Strict No-Logs Policy' Exposed Millions of User Log Files (betanews.com) 86

New submitter kimmmos shares a report from BetaNews: An unprotected database belonging to the VPN service UFO VPN was exposed online for more than two weeks. Contained within the database were more than 20 million logs including user passwords stored in plain text. User of both UFO VPN free and paid services are affected by the data breach which was discovered by the security research team at Comparitech. Despite the Hong Kong-based VPN provider claiming to have a "strict no-logs policy" and that any data collected is anonymized, Comparitech says that "based on the contents of the database, users' information does not appear to be anonymous at all." A total of 894GB of data was exposed, and the API access records and user logs included: Account passwords in plain text; VPN session secrets and tokens; IP addresses of both user devices and the VPN servers they connected to; Connection timestamps; Geo-tags; Device and OS characteristics; and URLs that appear to be domains from which advertisements are injected into free users' web browsers. Comparitech notes that this runs counter to UFO VPN's privacy policy.
This discussion has been archived. No new comments can be posted.

VPN With 'Strict No-Logs Policy' Exposed Millions of User Log Files

Comments Filter:
  • by Anachronous Coward ( 6177134 ) on Saturday July 18, 2020 @08:05AM (#60303595)
    Maybe the policy was "no, logs!"
  • by Scutter ( 18425 ) on Saturday July 18, 2020 @08:06AM (#60303597) Journal

    Users of the services are advised to change their passwords immediately.

    And also maybe stop using the service entirely since they're complete liars and can't even do the one thing they're supposed to do.

    • by kipsate ( 314423 ) on Saturday July 18, 2020 @09:01AM (#60303699)
      And also maybe demand full reimbursement because of failing to deliver services as stated in a binding contract.

      And also maybe sue UFO VPNs developer TOOLSFOREST LTD and their CEO Lei Zhou for any and all damages incurred due to gross neglect.

      Or perhaps pay them a visit and let them know personally how you feel about their practices:
      UFO VPN company address: Lee Garden One, Room 1907, 19/F, Lee Garden One, 33 Hysan Avenue, Causeway Bay, Wan Chai District, Hong Kong

      And also maybe don't give their parent company any business either: DreamFii LTD.
    • And also maybe stop using the service entirely since they're complete liars and can't even do the one thing they're supposed to do.

      Be careful on sites like this when you recommend something like that. /., Hacker News, and so many other establishment media repeater sites usually censor logical, reasonable, defensible advice that results in not handing over one's freedom to businesses. One could reach the same conclusion about, say, running Microsoft's proprietary software when it is revealed that Microsoft h [ghacks.net]

      • by imidan ( 559239 )

        Be careful on sites like this when you recommend something like that. /., Hacker News, and so many other establishment media repeater sites usually censor logical, reasonable, defensible advice that results in not handing over one's freedom to businesses.

        Can you provide an example of Slashdot censoring such advice? I note that the GPP is currently modded insightful and is still very much present. Also, I'm not sure what an "establishment media repeater site" is.

        • by jbn-o ( 555068 )

          Can you provide an example of Slashdot censoring such advice?

          Usually this takes two forms: actively downplaying anyone who questions a proprietary software narrative and noticing that the preponderance of comments come from the perspective of accepting proprietary software as legitimate. For the former, try looking for any links to pages on GNU.org's proprietary page [gnu.org] where examples that challenge the legitimacy of proprietary control over the user are listed (in a highly organized way both by subject matter

          • by imidan ( 559239 )

            Okay. I'm not intending to dispute most of what you said, but I do consider proprietary software to be a legitimate thing. When I say that, I don't mean that I think it's the best thing. I think that free, open source software is better. But, surely, some proprietary software fills a need that people have, and when there is no comparable FOSS alternative, it's better for consumers to have access to the proprietary option than none at all? I mean, even given the list of bad things about proprietary software

  • I feel sympathy for those that think any of these VPN providers don’t keep logs...
  • anyone else... (Score:5, Informative)

    by argStyopa ( 232550 ) on Saturday July 18, 2020 @08:33AM (#60303645) Journal

    ...stop reading at "Hong Kong based VPN provider"?

    I'm already suspicious that MOST if not all VPN providers are fronts for law enforcement, intelligence, or organized crime (none of those are mutually exclusive by the way) but you'd have to be a special kind of stupid to believe a VPN hosted in China is safe. And yes, anyone with a brain has known since 1997 that Hong Kong was Chinese, regardless of public consensual delusions to the contrary.

    • I stopped reading at "strict no-logs policy". Anyone who's willing to trust their privacy to a VPN is an idiot.
      • by dfghjk ( 711126 )

        Tough words. You are no doubt an expert on the topic.

        Businesses trust their privacy to VPNs every day.

        • Businesses trust VPNs that they run. They control the endpoints. They control the encryption. They control the logging and they control the authentication. This is a world of difference from using a 3rd party VPN.

        • by msauve ( 701917 )
          >Businesses trust their privacy to VPNs every day.

          That's not the same thing. Businesses use VPNs to interconnect private networks at different sites, or to allow authorized access to their networks. They control both ends of the tunnel. What's being discussed here is completely different. It's allowing people to tunnel out to the Internet via a service, with the intent of hiding the original IP address, and/or disguising the geographic source. The user has no control of the other end.
      • I stopped reading at "strict no-logs policy". Anyone who's willing to trust their privacy to a VPN is an idiot.

        Why? Trust of privacy is dependent of many factors including how it impacts you. Honestly I would "trust" a Chinese VPN with my privacy more than I trust my local ISP. The former is likely handing my details over to a government which can't touch me, the latter is likely selling it to anyone with a credit card.

        I mean the hack and leak of all data not withstanding, there's generally a very different level of trust applicable to a VPN provider even if they are lying about their no logs policy.

        • by tlhIngan ( 30335 )

          I stopped reading at "strict no-logs policy". Anyone who's willing to trust their privacy to a VPN is an idiot.

          Why? Trust of privacy is dependent of many factors including how it impacts you. Honestly I would "trust" a Chinese VPN with my privacy more than I trust my local ISP. The former is likely handing my details over to a government which can't touch me, the latter is likely selling it to anyone with a credit card.

          I mean the hack and leak of all data not withstanding, there's generally a very different

          • The log entry is created the instant you log into them.

            That's splitting hairs in a disingenuous way. No one in the world is talking about login data. It is basically universally understood that they are talking about traffic logs capable of matching a user with externally visible data, i.e. timestamp, ipaddress, external port, and redirected ip/user account.

            As for China "not touching you" well, don't be so sure about that. Unless you have absolutely no family at all (and don't plan on having any) you're vulnerable if any one of them wants to travel. That new National Security Law applies to anyone around the world

            To them I say, come at me bro. The reality is China passes incredible sweeping laws to keep their own people in check, beyond that they use these laws against only the most aggressive of the anti CCP interna

      • You trust your privacy to Microsoft, Google, maybe Apple, Intel or AMD, Foxconn, your ISP, your router maker, etc, as we speak. Idiot.

    • I stopped reading at the name of the service....

      Only a fucking idiot would send a service named "UFO VPN" their hard earned money.

      Try the name with any other sort of service...

      "UFO SAVINGS AND LOAN"
      "UFO HEALTH INSURANCE"
      "UFO CHILD CARE"
    • There is an argument that if a VPN has already been subpoenaed by law enforcement but been unable to produce logs, they less likely to be keeping logs.

      And if they're also using a warrant canary showing negative, that no-log policy may also be the ongoing situation.

      Of course, none of the above would apply to a Chinese VPN.
    • by AmiMoJo ( 196126 )

      VPNs are no a panacea but they are useful. They don't have to be expensive either, e.g. Mulvad is based in Europe, staff are friendly and responsible, their client has been externally security audited or you can just use your own Wireguard/OpenVPN software. Pay in cash or Bitcoin too, 5 Euro/month.

      Just remember that you can't trust them more than your ISP, e.g. if you need more security layer Tor on top.

  • Do any of these services provide a published external audit of their service that confirms they are following their 'no log' policy? Without that I feel that they have very little reason to follow said policy because it doesn't benefit them to do so as long as they are making money.
    • Sure, sure, I offer "audits" at $50 a pop.
      My "business" is designed to check all the "credible" boxes. You know: Like Wikipedia "credible sources": Serious color scheme, clean design, understating marketing style, short business name containing something that sounds related to a university or institute, copies of all the usual bank and security business design memes, lots of fake customer reviews, the usual.
      I'm somewhere in Backwater, Shithole, sitting on my greasy 60s coffe table, sweatly, hairy, in the nu

      • I agree that there are a lot of audit companies that would do exactly that. My question is more along the lines is there any trusted verification that any of these services are doing exactly what they are reportedly doing that I would feel safe about using, or are all of them a sham just waiting to be exploited?
      • by lgw ( 121541 )

        No one's going to trust a security company named "barefoot" - it sort of gives away the game. But if you rebrand to "Bearfoot" then you have a solid business plan. Sounds very security-y.

  • Why use a VPN? (Score:5, Insightful)

    by Burdell ( 228580 ) on Saturday July 18, 2020 @09:10AM (#60303725)

    I get that people don't trust their ISP... but why do you trust some random VPN provider more? At least your ISP is probably some regulated entity (maybe poorly regulated, but at least SOME oversight). They have brick and mortar building where you can go yell at someone, and if enough people get upset, you MIGHT can get some change. In some areas, it may even be a co-op, where you're an owner and can go yell at a a meeting.

    But some random website you clicked on the Internet, then gave your credit card to, then route all your personal information through? When did that ever make sense?

    • I get that people don't trust their ISP... but why do you trust some random VPN provider more?

      Because my ISP options are known to be untrustworthy, and also criminal (one has misappropriated billions of taxpayer dollars, the other has been caught making hidden charges.) I know they're untrustworthy. A random VPN provider might be more trustworthy. At least, there's a chance. There's no chance that my ISP can be trusted.

    • Because you want to do file sharing, and your ISP sucks Content Mafia dick?

      Because you don't trust exactly those "regulated" entities and their masters you are talking about, and they are your enemies? (Like being a revolutionist, e.g. in China.)

      Because you don't want sites to know you are the same guy who likes gagging on shitting dick nipples. ;)

      But hey, the best VPN in still onion-routing through a mix of zombies that you hacked yourself. ;)

      • Just configure a proxy on a VM you pay for using Bitcoin, or maybe just use a Windows VM directly - but then you may miss out on "local" content
      • I thought I'd seen it all but I can't draw the picture in my mind of what "shitting dick nipples" are. Much less what gagging on them entails.

        • I'd draw you a picture of what I drew in my mind but it gave me PTSD and now I need to make an appointment with a therapist.
        • Some people have fetishes. Sometimes those fetishes are very niche. Sometimes people combine multiple niche fetishes together and then draw them for the world to see. Sometimes those people trust the wrong VPN, apparently.

          • It never ceases to amaze me the wealth of information and insight into other's sexual psyches available on the net.

            The last time I was "wtf?! Is that real?!" about a fetish was when I saw a video of a woman in high spiked heels stomping on live mice in a box. It had to be a joke or something. Unfortunately, no, it turned out to really be a "thing". I'm pretty open minded but every so often... wow. *head explodes*

    • my ISP IS A REGULATED ENTITY is exactly why I don't trust them. I know they must comply with my local laws and must keep logs and hand of logs to the government and is subject to government laws. Hence I use a VPN in a remote country with no data sharing laws with my country.
  • By the Pirate Bay guys. Can be paid anonymously too, afaik.
    A more credible provder than the usual suspects.

  • Don't be naive- if you think that any VPN provider truly doesn't keep logs, you're being foolish. Of course they do.

    • by lgw ( 121541 )

      Why would they bother, other than being too stupid to change defaults? It's more work than not keeping logs. Only if legally required, which obviously it would be in China.

  • Only a fool would trust those claims.

  • I am shocked, shocked that some shady foreign VPN didn't actually offer complete privacy!
  • But, but but.... VPN's cure everything! What could go wrong with routing all of your Internet traffic through a single server that belongs to some random person/company that you don't know?

    That being said, I actually do use a VPN... one that I set up on my own routers at my work. I'd have to have a screw or two loose to use somebody else's VPN.
    • by Chozabu ( 974192 )
      I use speedify,as a VPN, not for privacy, but because it makes it easy to bond two crummy connections in redundant mode - resulting in a decent connection. (well, sometimes - when their own servers are not freaking out)

      I wouldn't be surprised if they are logging everything, would rather they don't but not a big issue, I'll be protecting myself in other ways if needed.
    • I use both. I'd like to think you know the difference between VPN's for remote access and those for obfuscation/privacy. Same technology, totally different (and equally worthwhile) goals.

  • Shut down their business and throw them in jail for lying and cheating and being fucking assholes.
  • by Sqreater ( 895148 ) on Saturday July 18, 2020 @10:44AM (#60303929)
    Come on, who else do you think is responsible?
  • I was told there are two kinds of VPN companies: Those that are logging, and those that are lying. Seems these guys were lying, and since they were not supposed to do any logging, they naturally didn't need to keep the logs secure.
  • Simple question before you trust any corporation with potentially compromising or sensitive information about yourself: How do they make their money? UFO VPN doesn't charge people to use its VPN services, so who pays for the infrastructure, office space, salaries, & investors' profits? Yeah, of course they keep users' logs so that they can sell them to advertisers & use them in any way possible to make money from them that they can get away with.
  • A VPN provider that lies to its users AND is completely incompetent as it can't protect its data and stores passwords in clear text. Seriously anyone still using these guys deserves zero privacy.
  • If the official service terms stated "no longs" but logs were found, that sounds like all customers can sue for refund for all services rendered in the past, since the service as advertised was not provided. Depending on local laws they might be able to sue for additional damages, but all fees ever collected is a good start. It would be a good example for any future ISP's who want to claim "no logs".

Computer Science is merely the post-Turing decline in formal systems theory.

Working...