VPN Provider's Misconfiguration Exposes One Million Users

At least one million users of a Chinese-run VPN service have had their personally identifiable information (PII) exposed due to a misconfigured Elasticsearch server, Infosecurity can reveal.

The privacy concern affects Quickfox, a free VPN used mainly by the Chinese diaspora to visit sites otherwise inaccessible from outside mainland China, according to reviews site WizCase.

Unfortunately, Quickfox owner Fuzhou Zixun Network Technology had not adequately configured its Elastic Stack security, leaving an Elasticsearch server exposed and accessible – with no password–protection or encryption enforced.

The 100GB trove found by the researchers contained 500 million records, including PII on one million users and system data on 300,000 customers. WizCase told Infosecurity that the server has yet to be secure.

The exposed PII included customers’ emails, IP addresses, phone numbers, details to identify device type, and MD5 hashed passwords. WizCase warned that MD5 is itself far from secure and can be cracked by modern technology.

This would have been enough for fraudsters to follow up with phishing emails, vishing phone calls and other tactics designed to elicit further sensitive information like credit card or bank details.

“The leaked information about device type and installed software could make this con very convincing,” warned WizCase. “It’s unclear why the VPN was collecting this data, as it is unnecessary for its process and it is not standard practice seen with other VPN services.”

This leaked data included the names of other software installed on users’ devices, alongside file location, install date, and version number.

By unmasking the MD5 hashed passwords and using credential stuffing techniques, cyber-criminals could also try to hijack other accounts across the web, which users might protect with the same credential, WizCase warned.

It urged users to carefully vet VPN providers before choosing them and be aware that free services may profit by collecting and using customer data.

Those affected in the Quickfox incident were mainly located in the US, Japan, Indonesia and Kazakhstan.

What’s Hot on Infosecurity Magazine?