VPNMentor is reporting that a database containing the personal details and login credentials of 21 million users was leaked in a Telegram group. The dump also exposed the data of VPN users including SuperVPN, GeckoVPN, and ChatVPN. The database contains 10GB worth of data and is available for free on several different Telegram groups.
(the records appear to be unique).
Overall, the database contains:
- Email addresses
- Usernames
- Full names
- Country names
- Randomly generated password strings
- Billing details
- Premium status and validity period
At 21M records, the numbers may seem small compared to the billions that are already out there, but it would be a mistake to dismiss the significance of this. Many people think that using a VPN confers absolute security when the truth is that any authentication process involving a password is inherently insecure – they were unsafe 60 years ago and even more so today.
It is disappointing to see these types of data breaches and credential thefts which tarnish the reputation of the VPN Industry as well as other security products. As a matter of responsible software development this type of biographic detail should never be stored centrally within any product or management console / database. Furthermore, credential data such as passwords should never be stored anywhere – period! Password hashes can be used for comparison in conjunction with MFA for ongoing verification activities and nobody (not even the product vendor) should know what a user’s password is after it’s been stored in its salted and hashed version. Finally, device posture checking and binding with a one-time certificate exchange can ensure harvested information cannot be transferred across different endpoints to attempt compromise.
VPN’s are critical to security and privacy of individuals. However just like a sub-par endpoint protection product, if they are not designed or implemented with actual security and privacy in mind they are worse than not having a proper VPN in place, they create a consolidation point for attackers to harvest multiple users’ data. As evidenced in this breach there is a large amount of data which was stored without proper encryption applied to maintain proper safety. The passwords appear to have been properly secured in the database, but unfortunately far too much other information was exposed.
Users need to be mindful that anytime they are choosing a service or software meant to secure them, they should review if that same solution has suffered from any exposures or vulnerabilities in the past. There is nothing more damaging to user confidence than thinking they are secure when actually, they are even more exposed.