VPN With 'Strict No-Logs Policy' Exposed Millions of User Log Files (betanews.com) 86
New submitter kimmmos shares a report from BetaNews: An unprotected database belonging to the VPN service UFO VPN was exposed online for more than two weeks. Contained within the database were more than 20 million logs including user passwords stored in plain text. User of both UFO VPN free and paid services are affected by the data breach which was discovered by the security research team at Comparitech. Despite the Hong Kong-based VPN provider claiming to have a "strict no-logs policy" and that any data collected is anonymized, Comparitech says that "based on the contents of the database, users' information does not appear to be anonymous at all." A total of 894GB of data was exposed, and the API access records and user logs included: Account passwords in plain text; VPN session secrets and tokens; IP addresses of both user devices and the VPN servers they connected to; Connection timestamps; Geo-tags; Device and OS characteristics; and URLs that appear to be domains from which advertisements are injected into free users' web browsers. Comparitech notes that this runs counter to UFO VPN's privacy policy.
Maybe it wasn't a no-logs policy. (Score:3, Funny)
VPN With 'Strict No-Logs Policy' (Score:2)
Re: (Score:2)
Re: (Score:3)
Maybe they just avoid wooden furniture.
Seriously (Score:1)
What happened is that they were so committed to privacy that they had a giant digital marquee set up in their headquarters that said "No Logging." But they guy in charge of implementing the policy looked up too late, and the "No" had already scrolled off, so he thought it said "DO Logging."
Re: (Score:2)
Maybe the policy was "no, logs!"
Misplaced comma strikes again [wikipedia.org] ...
Re: (Score:1)
Or since they are located in Hong Kong, perhaps once upon a time they actually didn't keep logs but now that the Chinese government has asserted control over the area, they were forced to start doing so secretly.
Who would have guessed? (Score:4, Insightful)
Users of the services are advised to change their passwords immediately.
And also maybe stop using the service entirely since they're complete liars and can't even do the one thing they're supposed to do.
Re: (Score:1)
Re: (Score:2)
In their case probably "Public"?
Re: (Score:2)
Re: (Score:2)
Pawned?
Re: (Score:1)
Re: (Score:1)
Big promise, zero delivery
Re:Who would have guessed? (Score:5, Informative)
And also maybe sue UFO VPNs developer TOOLSFOREST LTD and their CEO Lei Zhou for any and all damages incurred due to gross neglect.
Or perhaps pay them a visit and let them know personally how you feel about their practices:
UFO VPN company address: Lee Garden One, Room 1907, 19/F, Lee Garden One, 33 Hysan Avenue, Causeway Bay, Wan Chai District, Hong Kong
And also maybe don't give their parent company any business either: DreamFii LTD.
Re: Who would have guessed? (Score:2)
How would you prove damages?
Re: (Score:2)
Enough to bill IT hours reconfiguring the network, lost business due to resulting downtime, plus cost of contract with a new VPN provider.
/. usually censors advice disempowering businesses (Score:1)
Be careful on sites like this when you recommend something like that. /., Hacker News, and so many other establishment media repeater sites usually censor logical, reasonable, defensible advice that results in not handing over one's freedom to businesses. One could reach the same conclusion about, say, running Microsoft's proprietary software when it is revealed that Microsoft h [ghacks.net]
Re: (Score:2)
Can you provide an example of Slashdot censoring such advice? I note that the GPP is currently modded insightful and is still very much present. Also, I'm not sure what an "establishment media repeater site" is.
Re: (Score:2)
Usually this takes two forms: actively downplaying anyone who questions a proprietary software narrative and noticing that the preponderance of comments come from the perspective of accepting proprietary software as legitimate. For the former, try looking for any links to pages on GNU.org's proprietary page [gnu.org] where examples that challenge the legitimacy of proprietary control over the user are listed (in a highly organized way both by subject matter
Re: (Score:2)
Okay. I'm not intending to dispute most of what you said, but I do consider proprietary software to be a legitimate thing. When I say that, I don't mean that I think it's the best thing. I think that free, open source software is better. But, surely, some proprietary software fills a need that people have, and when there is no comparable FOSS alternative, it's better for consumers to have access to the proprietary option than none at all? I mean, even given the list of bad things about proprietary software
Sad (Score:1)
Re: Sad (Score:1)
ipredator.se doesn't. You can check for yourself, by going there.
Re: (Score:2)
Yeah, I'm sure if you knock on their door and ask to see their logs I'm sure they'll eagerly give you a desk and a terminal with root access so you can look around in their system.
anyone else... (Score:5, Informative)
...stop reading at "Hong Kong based VPN provider"?
I'm already suspicious that MOST if not all VPN providers are fronts for law enforcement, intelligence, or organized crime (none of those are mutually exclusive by the way) but you'd have to be a special kind of stupid to believe a VPN hosted in China is safe. And yes, anyone with a brain has known since 1997 that Hong Kong was Chinese, regardless of public consensual delusions to the contrary.
Re: (Score:2)
Re: (Score:1)
Tough words. You are no doubt an expert on the topic.
Businesses trust their privacy to VPNs every day.
Re: (Score:3)
Businesses trust VPNs that they run. They control the endpoints. They control the encryption. They control the logging and they control the authentication. This is a world of difference from using a 3rd party VPN.
Re: (Score:3)
That's not the same thing. Businesses use VPNs to interconnect private networks at different sites, or to allow authorized access to their networks. They control both ends of the tunnel. What's being discussed here is completely different. It's allowing people to tunnel out to the Internet via a service, with the intent of hiding the original IP address, and/or disguising the geographic source. The user has no control of the other end.
Re: (Score:2)
I stopped reading at "strict no-logs policy". Anyone who's willing to trust their privacy to a VPN is an idiot.
Why? Trust of privacy is dependent of many factors including how it impacts you. Honestly I would "trust" a Chinese VPN with my privacy more than I trust my local ISP. The former is likely handing my details over to a government which can't touch me, the latter is likely selling it to anyone with a credit card.
I mean the hack and leak of all data not withstanding, there's generally a very different level of trust applicable to a VPN provider even if they are lying about their no logs policy.
Re: (Score:2)
Re: (Score:2)
The log entry is created the instant you log into them.
That's splitting hairs in a disingenuous way. No one in the world is talking about login data. It is basically universally understood that they are talking about traffic logs capable of matching a user with externally visible data, i.e. timestamp, ipaddress, external port, and redirected ip/user account.
As for China "not touching you" well, don't be so sure about that. Unless you have absolutely no family at all (and don't plan on having any) you're vulnerable if any one of them wants to travel. That new National Security Law applies to anyone around the world
To them I say, come at me bro. The reality is China passes incredible sweeping laws to keep their own people in check, beyond that they use these laws against only the most aggressive of the anti CCP interna
Re: anyone else... (Score:2)
You trust your privacy to Microsoft, Google, maybe Apple, Intel or AMD, Foxconn, your ISP, your router maker, etc, as we speak. Idiot.
Re: (Score:2)
Only a fucking idiot would send a service named "UFO VPN" their hard earned money.
Try the name with any other sort of service...
"UFO SAVINGS AND LOAN"
"UFO HEALTH INSURANCE"
"UFO CHILD CARE"
Re: (Score:2)
Re: (Score:1)
I prefer that flying objects be identified.
Re: anyone else... (Score:1)
I've flown them several times, although the trip was free, I had no control over the destination or return time, don't remember much, my ass is sore for some reason and I've got this device installed in my body now.
Re: (Score:2)
If that's your excuse when you see your doctor about the sore behind, I have to tell you that he doesn't believe you.
Re: anyone else... (Score:1)
I live near San Francisco. There's absolutely nothing I could tell her she'd care about or be shocked by.
Re: (Score:1)
"UFO Airlines might be interesting."
With just probes as a seating arrangement? No thanks.
Re: (Score:3)
I've long thought the same about "Go Daddy."
Re: (Score:2)
And if they're also using a warrant canary showing negative, that no-log policy may also be the ongoing situation.
Of course, none of the above would apply to a Chinese VPN.
Re: (Score:2)
VPNs are no a panacea but they are useful. They don't have to be expensive either, e.g. Mulvad is based in Europe, staff are friendly and responsible, their client has been externally security audited or you can just use your own Wireguard/OpenVPN software. Pay in cash or Bitcoin too, 5 Euro/month.
Just remember that you can't trust them more than your ISP, e.g. if you need more security layer Tor on top.
Audited VPN Service? (Score:1)
Re: Audited VPN Service? (Score:2)
Sure, sure, I offer "audits" at $50 a pop.
My "business" is designed to check all the "credible" boxes. You know: Like Wikipedia "credible sources": Serious color scheme, clean design, understating marketing style, short business name containing something that sounds related to a university or institute, copies of all the usual bank and security business design memes, lots of fake customer reviews, the usual.
I'm somewhere in Backwater, Shithole, sitting on my greasy 60s coffe table, sweatly, hairy, in the nu
Re: Audited VPN Service? (Score:1)
Re: (Score:2)
No one's going to trust a security company named "barefoot" - it sort of gives away the game. But if you rebrand to "Bearfoot" then you have a solid business plan. Sounds very security-y.
Why use a VPN? (Score:5, Insightful)
I get that people don't trust their ISP... but why do you trust some random VPN provider more? At least your ISP is probably some regulated entity (maybe poorly regulated, but at least SOME oversight). They have brick and mortar building where you can go yell at someone, and if enough people get upset, you MIGHT can get some change. In some areas, it may even be a co-op, where you're an owner and can go yell at a a meeting.
But some random website you clicked on the Internet, then gave your credit card to, then route all your personal information through? When did that ever make sense?
Re: (Score:3)
I get that people don't trust their ISP... but why do you trust some random VPN provider more?
Because my ISP options are known to be untrustworthy, and also criminal (one has misappropriated billions of taxpayer dollars, the other has been caught making hidden charges.) I know they're untrustworthy. A random VPN provider might be more trustworthy. At least, there's a chance. There's no chance that my ISP can be trusted.
Re: Why use a VPN? (Score:1)
Re: (Score:2)
> Ok but why not just use Tor then?
Which squares have traffic lights?
Re: (Score:2)
Which squares have traffic lights?
Heheh. Can relate.
Re: (Score:2)
Because my ISP options are known to be untrustworthy, and also criminal (one has misappropriated billions of taxpayer dollars, the other has been caught making hidden charges.)
Which one of them now has their guy [wikipedia.org] running the FCC?
Re: Why use a VPN? (Score:2)
Because you want to do file sharing, and your ISP sucks Content Mafia dick?
Because you don't trust exactly those "regulated" entities and their masters you are talking about, and they are your enemies? (Like being a revolutionist, e.g. in China.)
Because you don't want sites to know you are the same guy who likes gagging on shitting dick nipples. ;)
But hey, the best VPN in still onion-routing through a mix of zombies that you hacked yourself. ;)
Re: Why use a VPN? (Score:1)
Re: Why use a VPN? (Score:2)
I thought I'd seen it all but I can't draw the picture in my mind of what "shitting dick nipples" are. Much less what gagging on them entails.
Re: (Score:2)
Re: (Score:1)
Some people have fetishes. Sometimes those fetishes are very niche. Sometimes people combine multiple niche fetishes together and then draw them for the world to see. Sometimes those people trust the wrong VPN, apparently.
Re: Why use a VPN? (Score:2)
It never ceases to amaze me the wealth of information and insight into other's sexual psyches available on the net.
The last time I was "wtf?! Is that real?!" about a fetish was when I saw a video of a woman in high spiked heels stomping on live mice in a box. It had to be a joke or something. Unfortunately, no, it turned out to really be a "thing". I'm pretty open minded but every so often... wow. *head explodes*
Re: (Score:2)
use ipredator.se (Score:1)
By the Pirate Bay guys. Can be paid anonymously too, afaik.
A more credible provder than the usual suspects.
Don't be naive (Score:2)
Don't be naive- if you think that any VPN provider truly doesn't keep logs, you're being foolish. Of course they do.
Re: (Score:2)
Why would they bother, other than being too stupid to change defaults? It's more work than not keeping logs. Only if legally required, which obviously it would be in China.
Play stupid games, win stupid prizes (Score:1)
Only a fool would trust those claims.
Shocked! (Score:2)
But, I thought VPN's were "more secure"...? (Score:2)
That being said, I actually do use a VPN... one that I set up on my own routers at my work. I'd have to have a screw or two loose to use somebody else's VPN.
Re: (Score:1)
I wouldn't be surprised if they are logging everything, would rather they don't but not a big issue, I'll be protecting myself in other ways if needed.
Re: (Score:2)
I use both. I'd like to think you know the difference between VPN's for remote access and those for obfuscation/privacy. Same technology, totally different (and equally worthwhile) goals.
Shut them down (Score:2)
Re: Shut them down (Score:2)
It's a Chinese vpn that is invading the privacy of Chinese users. This is what they exist to do as per their masters, the CCP.
It has the stink of communist China all over it (Score:3)
Re: (Score:2)
When I worked at a VPN company... (Score:2)
How do they make their money? (Score:2)
The word of the day (Score:2)
is "DUH"
evacuate! (Score:2)
Reason to sue for a complete refund (Score:2)
If the official service terms stated "no longs" but logs were found, that sounds like all customers can sue for refund for all services rendered in the past, since the service as advertised was not provided. Depending on local laws they might be able to sue for additional damages, but all fees ever collected is a good start. It would be a good example for any future ISP's who want to claim "no logs".