A Virtual Private Network (VPN) provides privacy, anonymity and security to users, by a private network connection on the internet.
The major use of VPN, is to browse the web anonymously and safely, without having to succumb to rules put in place by the Internet Service Provider (ISP) or the government.
This is possible because when using a VPN, its protocols allow users can change their location and IP, making them appear on other countries. VPNs are generally regarded as a more secure alternative to a regular ISP for anonymizing internet traffic and unblocking blocked websites.
However, many VPN users wrongly assume that with a VPN, no one has access to their data. Unfortunately, VPN providers, in place of ISP, do have access to users' data. Some providers do keep logs, or fail to secure user information.
And this can translate to catastrophe if the data falls to the wrong hands.
One example of this, is when user databases of three popular Android VPN services have reportedly been hacked, with millions of user records now put up for sale on the internet.
The databases were said owned by SuperVPN, GeckoVPN, and ChatVPN.
These three popular VPNs together, have a combined 21 million users.
And following the hack, the hackers are selling sensitive details about that many users, including their authentication credentials like email addresses, usernames and randomly-generated password strings. The leak also contains users' full names, payment-related data along with the expiration date of the premium accounts.
Researchers at CyberNews who saw snippets from the databases, said that the leak also contains information about the user’s devices, like serial numbers, phone types, phone manufacturers, device IDs and device IMSI numbers.
Reportedly, the threat actor is also offering to sort the data by country for potential buyers.
The hackers claimed that they obtained the data by exfiltrating them from publicly available databases that were left vulnerable by the three VPN providers due to developers leaving default database credentials in use.
Initially, researchers were still speculating.
“We reached out to SuperVPN, GeckoVPN, and ChatVPN and asked the providers if they could confirm that the leak was genuine but we have received no responses at the time of writing this report,” CyberNews wrote on its report.
But they suggest that if the leaked databases are genuine, the three VPNs were lying to their users. The three claimed that they did not log their users, and that statement is said on their respective privacy policies.
"If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first," the researchers said.
And if it's true, the hackers may have access to more than just user information, but also full remote access to the three VPN's servers.
"With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more," the researchers wrote.
Adding that, stolen credentials and device data can be the "dire cost of choosing the wrong VPN provider."