Updated Personal Identification Information (PII) of more than one million users of the free Chinese VPN service, Quickfox, are exposed on a server elasticsearch poorly configured, unencrypted and available on the shallow internet, no password.
According to WizCase, which revealed the case, data such as full name, original IP address, telephone number, list of other software installed on the user’s device, encrypted passwords with MD5 pattern and others are still exposed, even after the discovery of the company.
“No password or login credentials were required to view this information and the data was not encrypted. Based on exposed logs […] The breach could have affected at least a million Quickfox users. We contacted the company, but we have not received a response so far.“, write WizCase’s cybersecurity research team researchers.
In addition to the users’ personally identifiable information, internal platform data were also found. of VPN and although the passwords are encrypted by default MD5, the researchers explain that this is an archaic and insecure algorithm.
“While passwords were encrypted, MD5 is an archaic hashing technique that leaves users’ passwords vulnerable to modern password-cracking techniques“, they write.
— QuickFox VPN (@QuickFoxVPN) October 12, 2020
Why does a VPN service collect this data?
In addition to the data exposure and the company’s inability to communicate with security researchers and resolve the issue, why a VPN service collects this user data is also unclear.
Researchers explain that with access to this data, cybercriminals can sell or distribute this data in cybercriminal forums, in addition to carrying out various cybercriminal campaigns, such as phishing, fraud, scams and even taking control of the victim’s account.
Another piece of advice left by researchers is that free VPN services usually get money for maintain its operation in other ways that are not so transparent and even suspicious.
“Be sure to research a VPN service before using it. In general, if a VPN isn’t profiting through subscription services, the VPN is making money through other means, usually collecting your data. If you choose to use a free VPN, make sure you understand and feel comfortable with the information they collect.. Also, share only the information you need to operate the program,” the researchers conclude.