UFO VPN Data Breach: Managed Attribution Tools and Risks
VPN Services Expose Millions of Users’ Personal Information
Virtual Private Networks, or VPNs, are supposed to provide consumers with a secure and easy-to-use way to traverse the internet—after all, “private” is right there in the name. But what if the information we provided to those services was not so private?
According to security researchers, UFO VPN, a free VPN provider, exposed the personal information of millions of users, including their technical and behavioral indicators. The breach also extends to six other VPN services that appear to be connected to the Hong Kong-based UFO VPN.
We’ve written previously about the risks of using VPNs as a managed attribution solution, and the UFO VPN episode illustrates the exact consequences of using a sub-par MA solution.
The data breach was the result of an unsecured database that UFO VPN and others were using to store user information. Among the cache of technical and behavioral information were users’ IP addresses, Geo-tags, account passwords saved in plaintext, device fingerprints, and payment information. Multiple instances of users’ online activity logs were also saved on the unsecured database, which belies the VPN providers’ claim that they did not log users’ activity.
The consequences of this data breach may be enduring for UFO VPN’s purported 20 million subscribers; leaving them vulnerable to cyber risks well into the future.
Exposed email addresses could be used by threat actors to target victims in spear phishing or other social engineering attacks. Stolen usernames and passwords could be used in credential stuffing attacks to access users’ online accounts. Activity logs, IP addresses, and other personally identifiably information could be used to dox or otherwise expose users’ true identities and affiliations.
Managed attribution is an active process of managing the technical and behavioral information that is communicated as we operate online. Commercial VPNs may be a convenient, low-maintenance solution for basic internet browsing (although, even this is dubious given the UFO VPN data breach), but they are not a sufficient managed attribution solution.