Free virtual private network (VPN) service provider Bean VPN has leaked personally identifiable information from millions of its users, researchers have found.
Cybersecurity researchers from cyber news stumbled upon a database with over 18GB of application-generated connection logs.
The database, discovered by the researchers during a routine scan using ElasticSearch, contained more than 25 million records, including details such as device IDs, Play Service IDs, IP addresses, and connection stamps.
All of these items, the researchers said, can be used to establish users’ true identities:
“The information found in this database can be used to anonymize Bean VPN users and find their approximate location using geo-IP databases. Play Service ID can also be used to find out the user’s email address device it is connected to,” said Cybernews security researcher Aras Nazarovas.
The app, which is not available on Apple’s app repository, has over 50,000 downloads from the Google Play Store – where it appears to have been taken from.
However, on its website, the company says it does not keep logs of user activity, “including any logs of browsing history, traffic destination, data content, or DNS queries.”
It also says that it doesn’t collect IP addresses, outgoing VPN IP addresses, timestamps, or session durations that, like Cybernews’ report suggests is not true.
VPNs are a popular tool used to preserve privacy when going online. By hiding the endpoint’s true IP address and location, the user can bypass various censorships and geoblocks. Since Russia invaded Ukraine, its government has blocked its citizens from accessing Western media, which has triggered a huge increase in VPN downloads in the country.
VPNs are also very popular in China, where people use them to bypass the Great Firewall of China.
Through: cyber news (opens in new tab)