A user on a popular hacker forum is selling three databases that purportedly contain user credentials and device data stolen from three different Android VPN services – SuperVPN, GeckoVPN, and ChatVPN – with 21 million user records being sold in total.
The VPN services whose data has been allegedly exfiltrated by the hacker are SuperVPN, which is considered as one of the most popular (and dangerous) VPNs on Google Play with 100,000,000+ installs on the Play store, as well as GeckoVPN (10,000,000+ installs) and ChatVPN (50,000+ installs).
The forum user is selling deeply sensitive device data and login credentials – email addresses and randomly generated strings used as passwords – of more than 21 million VPN users for an undisclosed sum.
We reached out to SuperVPN, GeckoVPN, and ChatVPN and asked the providers if they could confirm that the leak was genuine but we have received no responses at the time of writing this report.
To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.
What was leaked?
The author of the forum post is selling three archives, two of which allegedly contain a variety of data apparently collected by the providers from more than 21,000,000 SuperVPN, GeckoVPN, and ChatVPN users, including:
- Email addresses
- Full names
- Country names
- Randomly generated password strings
- Payment-related data
- Premium member status and its expiration date
The forum post author is also offering potential buyers to sort the data by country. The random password strings might indicate that the VPN user accounts could be linked with their Google Play store accounts where the users downloaded their VPN apps from.
Example of VPN user data put for sale on the hacker forum:
Based on the samples we saw from the second archive, it appears to contain user device information, including:
- Device serial numbers
- Phone types and manufacturers
- Device IDs
- Device IMSI numbers
The threat actor claims that the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use.
If true, this is an incredible blow to user security and privacy on the part of SuperVPN, GeckoVPN, and ChatVPN. And, in the case of SuperVPN, this blow is not the first.
The danger of using VPNs that log your data
If the data sold by the threat actor is genuine, it appears that the VPN providers in question are logging far more information about their users than stated in their Privacy Policies.
It is also worth pointing out that the attackers might have gained full remote access to the VPN servers.
With deeply sensitive device information such as device serial numbers, IDs, and IMSI numbers in hand, threat actors that have access to the data contained on the compromised VPN servers can get hold of that data and carry out malicious activities such as man-in-the-middle attacks and more.
In theory, one of the main points of using a VPN is to encrypt your internet traffic and protect your privacy from the prying eyes third parties, such as ISPs, repressive governments, or threat actors.
This is why, when choosing a VPN, users should always make sure that the VPN in question does not log their online activities or collect any other data about them. Otherwise, data stolen from VPNs that log their users’ information can be used against those users by threat actors.
And, as this leak has shown, stolen credentials and device data can be the dire cost of choosing the wrong VPN provider.
Stay tuned for more information
Our investigation of this leak is ongoing, and we will update the story as it unfolds. In the meantime, consider using our personal data leak checker with a library of 15+ billion breached accounts to find out if any of your online accounts have been leaked in previous breaches.