Article Image
IPFS News Link • Internet

"Zero Logs" VPN Company Exposes Millions Of User Logs

•, by Tyler Durden

The logs reportedly included passwords, IP addresses, geographical location, connection timestamps, session tokens, device information and the OS used.

This is in stark contrast to UFO VPN's stated privacy policy that "We do not track user activities outside of our Site, nor do we track the website browsing or connection activities of users who are using our Services."

The exposure, discovered by Comparitech security's Bob Diachenko, was discovered after search engine indexed the server hosting the data. Diachenko discovered the exposed data four days later and notified UFO VPN. Two weeks later, he notified the hosting provider, and the next day - more than two weeks after UFO VPN was notified, the database was secured.

If bad actors managed to get their hands on the data before it was secured, it could pose several risks to UFO VPN users.

The plain-text passwords are the most clear and direct threat. Hackers could not only use them to hijack UFO VPN accounts, but might also be able to carry out credential stuffing attacks on other accounts. If the same password is used across multiple accounts, they could all be compromised.

IP addresses could be used to discern users' whereabouts and corroborate their online activity. VPNs are often used to hide users' real locations and online activity.