18.5GB of connection logs of individuals who use the free Virtual Private Network (VPN) service provided by BeanVPN have been exposed over the Internet. The logs contained more than 25 million records and included IP addresses, time stamps, Play Service IDs, and other sensitive data.
VPNs are used by many people to hide their identities online; however, the exposed data could be used to de-anonymize users and could be used in a wide range of scams. For instance, it is possible to find out users’ email addresses from the Pay Service ID, and geo-IP databases could be used to find users’ approximate locations, according to Cybernews researchers, who discovered the exposed data.
BeanVPN is a free VPN app that has been downloaded more than 50,000 times from the Google Play Store. Researchers at Cybernews discovered a misconfigured Elasticsearch instance during a routine checkup that was leaking user data. The researchers reached out to BeanVPN to advise them about the exposed data and the Elasticsearch instance has now been secured.
Cybernews suggests that BeanVPN has violated its own privacy policy, as its website states that it does not store connection logs that contain IP addresses, outgoing VPN IP addresses, connection timestamps, or session durations, and that it has designed its systems not to store sensitive user. The privacy policy states that even when compelled to do so, it cannot provide data that it does not possess. The dataset identified by the Cybernews researchers clearly shows that some of the above data had been recorded and stored.
Elasticsearch instances are often found unsecured and can contain vast amounts of sensitive data. The Cybernews team points out that this is far from the only case where VPN user data has been exposed. Earlier this year, the team identified three databases that had been exposed due to misconfigured Elasticsearch instances that contained the data of 21 million individuals who had used the SuperVPN, GeckoVPN, and ChatVPN services.
They issued a warning about using free VPN services. While these free services can provide anonymity when surfing the Internet, there is often a catch that either involves limitations of the service, intrusive ads, and even selling personal data to third parties.