Free VPN providers leak personal information of over 21 million users. The database containing user credentials was recently discovered by CyberNews, with the leak potentially being a major privacy and security risk.

The providers affected by the massive data leak are some of the most popular free Android VPNs – SuperVPN (over 10,000,000 installs on Google Play), GeckoVPN (over 10,000,000 installs), and ChatVPN (over 50,000 installs). The database dated February 24 is currently being sold on shadow forums at an undisclosed price.

The cause of the leak was likely negligent provider practices of logging user information, and not taking the proper precautions to keep it safe. The VPNs didn’t just store user information, they also kept default server login information which made them extremely easy to access.

What’s the damage?

This isn’t the first time free VPN providers have been responsible for massive data leaks.

SuperVPN, in particular, suffered a nasty breach in July 2020. It seems, though, the providers did not learn their lesson or take any extra measures to ensure user safety.

This time the data breach is both more expansive and contains much more sensitive data. As stated by the anonymous author of the post, the leaked database contains such information as:

• Email addresses
• Usernames
• Full user names
• Country of user origin
• Randomly generated passwords
• Payment data
• Subscription status and expiration date

Even though all of the leaked information is sensitive, the random password strings are the biggest cause for concern. These could be linked to Google Play accounts, which puts the users’ financial information in peril.

The leak additionally contains information about:

• Users’ device IDs and serial numbers
• Device IMSI numbers
• Phone types and manufacturers

Potential attackers can use this information to carry out further malicious activities, such as man-in-the-middle attacks to gain further access to user devices and financial information.

Even though there is still some debate whether the leak is real, the data examples in the post seem legitimate. If so, this is a massive blow to the credibility of these free VPNs and a huge danger to over 21 million users.

What now?

SuperVPN, GeckoVPN, and ChatVPN have not yet released any kind of statement in regards to the alleged breach. However, if the leak information is true, it means the VPN providers log much more data than stated in their privacy policies.

If you have been using one of these (or any other) free VPN apps, we advise you to:

1. Check, whether your personal data have been leaked;
2. Change your online passwords, preferably using a password generator;
3. Uninstall the free VPN you have now and subscribe to the providers that can guarantee your online safety.

Online security and privacy are becoming a major concern by the day. And the majority of free VPN providers don’t seem to be able to guarantee the security you need.

Take the necessary precautions today and save yourself the trouble of being caught in a massive data leak tomorrow.