VPN service put plaintext passwords in unsecured Elasticsearch database
The database of a Hong Kong VPN service was found online. As a result, data from more than twenty million users could be viewed, including plaintext passwords and session tokens. The provider claimed to keep no logs.
The data was on an unsecured Elasticsearch server. It was discovered by security company Comparitech, which published about it after informing the company. Comparitech discovered the server via Shodan at the end of June. It is a database of the VPN service UFO from Hong Kong.
The database contained data from more than twenty million users. The entire file was 894 gigabytes in size. It is striking that in addition to the e-mail addresses, the passwords of users could be read in plaintext. In addition, session secrets and tokens were displayed, IP addresses of users and the VPN servers they connected to, connection timestamps, geotags and information about users’ devices and operating systems. It does not seem that logs have been kept of surfing behavior, although that information could be retrieved retroactively via the secrets and tokens.
UFO VPN says the information on the server is “anonymous”, and “used only to analyze users’ network status and any issues.” There is no indication that the information has been misused by others. UFO VPN has now protected the database with a password. The VPN service says on its website that it has 20 million customers – so every customer of the company may have been affected.