If you’re going to mess with an unscrupulous VPN provider keeping logs of its customers’ IP addresses, you might as well do it with some style. That appears to be the thinking of unknown vigilante hackers who, over the course of the past week, overwrote the contents of over 1,000 unsecured databases left online for anyone to read.
One of those databases belonged to UFO VPN, a Hong Kong VPN that claimed to not log any user data. Instead, the company was recording everything from users’ passwords to IP addresses and storing it all in an unsecured database exposed to the open web. The hackers left a very particular calling card: the word “meow” followed by random numbers.
Bob Diachenko, a security researcher at Security Discovery, spotted the attack earlier this week. “New Elasticsearch bot attack does not contain any ransom or threats, just ‘meow’ with a random set of numbers,” he explained on Twitter. “It is quite fast and search & destroy new clusters pretty effectively.”
The Meow hackers aren’t running ransomware or attempting to extort corporations for the sin of improperly securing their customers’ data. Much like the famous BrickerBot that searched and destroyed IoT devices with hard-coded passwords, the Meow hackers essentially destroy exposed data before someone else can find it and steal it.
This attack highlights a growing problem in the cybersecurity world. Companies continue to leave sensitive customer data exposed in unsecured databases, creating easy targets for malicious actors. The VPN industry in particular has faced scrutiny for misleading privacy claims while failing to protect user data properly.
However, it’s unclear if the hackers are stealing the data themselves before writing over it. Those databases become a lot more valuable if you’re the only one with a copy, after all. The true motivation behind these attacks – whether vigilantism, boredom, or profit – remains a mystery.
The incident raises important questions about data security practices across the tech industry:
- Why are companies still leaving databases unsecured and exposed to the internet?
- How can consumers verify that VPN providers actually follow their stated privacy policies?
- What responsibility do security researchers have when they discover exposed data?
Regardless of the Meow hackers’ motivation, there’s the possibility that something good will come out of this ongoing mess. Maybe more companies going forward will take the minimal time and basic effort to protect the untold amounts of customer data they’ve gathered over the years.
The attack also serves as a reminder that choosing a VPN provider requires careful research. Users should look for providers with proven track records, independent security audits, and transparent policies about data handling. The promise of “no logs” means nothing if the company can’t properly secure what data it does collect.
Because if companies don’t start taking data security seriously, like a cat unable to resist pawing a glass of water left on the edge of your desk, the Meow hackers very well might be forever ready for their moment to pounce.