5.7 Billion Data Entries Exposed on a Free VPN

The Cybernews research team has discovered a major leak in a free VPN aimed at users in China...

China blocked websites

On and on, we keep telling you that you shouldn’t be using free VPNs but proven, zero-logs services that have such claims backed by a third-party audit. Adding to the “proof pile,” we have the story involving a major leak of data from a (guess) free VPN called Airplane Accelerates. Remember that name to avoid it at all costs.

On July 7, a Cybernews researcher discovered an open ElasticSearch instance with no less than 626GB of VPN connection logs during a routine check-up using open-source intelligence (OSINT) methods. This massive database contained a staggering 5.7 billion entries, including user IDs, original IP addresses and domain names, and timestamps.

“This leak is significant, because the leaked data could be used to de-anonymize and track the users of this app,” said Aras Nazarovas, the researcher who led the investigation into the freeware. “Analysis of the Android app also shows that it is capable of functioning as spyware, and has remote code execution capabilities.”

According to Nazarovas, since Airplane Accelerates has received around 3,000 reviews on the Chinese version of the App Store alone — and much fewer reviews on the global version — it is reasonable to assume the actual number of users across platforms could run into the tens or perhaps even hundreds of thousands.

Cybernews examined the Android version of the app and has found a “list of domains including VPN services, anti-China and porn websites, open source tools used to bypass censorship, hacking tools, social media websites, and search engines” — as opposed to websites that are “approved by the government.” This suggests that the list has been compiled to track users who are visiting domains that Beijing may disapprove of.

The scary thought is that the newly exposed details could now lead to actual arrests.

Aside from offering a free service, there were also other red flags with the app. According to Cybernews, the Airplane app requested a suspiciously high number of permissions, ranging from access to camera and audio recording to reading and modifying contacts, external storage, and installing packages.

“The amount of permissions the app requests suggests that some of the information it collects was stored in a different database than the one we found,” said Nazarovas, clarifying that the Chinese-language website that distributes the apps can be found at vp2n.cc while the domain name apnetworksapp.com hosts the app’s contact details and location.

To be fair, the company website features a privacy policy, but it is unclear whether it applies specifically to the VPN app or another service. It is this lack of clarity that has created a legal gray area that could potentially leave the app’s users vulnerable to having their data shared.

To conclude, if you want to stay on the safe side, you should pay for a good VPN. And you should get the one that has been in this business for some time with a rock-solid track record. Such a VPN would have a zero-logs policy that has been audited by a reputable third party. And that’s what our list of Best of the Best VPNs is all about. Check it out and find yourself an amazing VPN you can trust!