In a shocking revelation, a prominent free VPN service, SuperVPN, has been accused of leaking more than 360 million user data records online. The breach includes an alarming amount of sensitive information, such as email addresses, original IP addresses, geolocation records, unique user identifiers, and references to visited websites. The scale of the leak is significant, considering that SuperVPN has garnered over 100 million downloads worldwide from the Google and Apple app stores.
The cybersecurity researcher who investigated the incident warns that this breach should serve as a wake-up call for users, emphasizing the importance of choosing a trustworthy VPN service. Jeremiah Fowler, the expert who discovered and reported on the breached database, explained that as more individuals globally prioritize data privacy or attempt to bypass censorship, the use of VPNs has become prevalent. However, this incident showcases the potential risks associated with using an untrustworthy VPN service, as captured data could be shared with governments or exposed in the event of a data breach.
Fowler discovered a publicly exposed database linked to the SuperVPN app, which contained a staggering 133 GB of data. The leaked information included personal user details such as IP locations, servers used, unique app user ID numbers, as well as information about users’ online activities, device models, operating systems, and refund requests.
Upon notifying the available email addresses associated with both the iOS and Android versions of the SuperVPN app, the exposed database was abruptly closed without any explanation. This sudden action raises further concerns about the transparency and security of the service.
The recent surge in SuperVPN’s popularity adds to the unease surrounding the breach. Fowler highlighted that the app was trending on Twitter just last week when Pakistan blocked social media. Additionally, the ownership of SuperVPN is shrouded in ambiguity. Despite sharing the same name and having similar logos, the app is listed under different developers on the Google Play and Apple App Store platforms. SuperVPN on Google Play is credited to SuperSoft Tech, while SuperVPN for iOS, iPad, and macOS is attributed to Qingdao Leyou Hudong Network Technology Co. Moreover, references to another company named Changsha Leyou Baichuan Network Technology Co. were found among the leaked files.
Jeremiah Fowler’s investigation indicates that all entities associated with SuperVPN have connections to China, as evidenced by notes written in the Chinese language within the leaked database. However, both Qingdao Leyou Hudong Network Technology Co. and Changsha Leyou Baichuan Network Technology Co. have remained silent, failing to respond to requests for comments or provide any information regarding their ownership and location on their websites.
This is not the first time that cybersecurity experts have raised concerns about SuperVPN. In 2020, users were advised to delete the VPN due to the risks it posed to millions of users. In 2016, Australian researchers identified SuperVPN as one of the most malware-rigged VPN apps available.
As the investigation into SuperVPN’s data leak unfolds, it serves as a stark reminder of the potential hazards associated with utilizing unverified VPN services. Users must prioritize their data security and exercise caution when selecting a VPN provider, opting for reputable and trustworthy options to safeguard their sensitive information.
