Free Virtual Private Network (VPN) service provider Bean VPN, has leaked personally identifiable information on millions of its users, researchers have found.
Cybersecurity researchers from Cybernews stumbled upon a database with more than 18GB of connection logs generated by the app.
The database, discovered by the researchers during a routine checkup using ElasticSearch, reportedly contained more than 25 million records, including details such as device IDs, Play Service IDs, IP addresses, connection stamps.
De-anonymizing people
All of these items, the researchers said, could be used to establish the users’ true identities:
“The information found in this database could be used to de-anonymize Bean VPN’s users and find their approximate location using geo-IP databases. The Play Service ID could also be used to find out the user’s email address that they are signed in to their device with,” Cybernews security researcher, Aras Nazarovas, said.
The app, which is not available on Apple’s app repository, has more than 50,000 downloads on the Google Play Store – where it appears to have been pulled from.
However on its website, the company says it doesn’t keep user activity logs, “including no logging of browsing history, traffic destination, data content or DNS queries.”
It also says it doesn’t collect IP addresses, outgoing VPN IP addresses, timestamps or the durations of sessions which, as Cybernews’ report suggests, is not true.
VPNs are a popular tool used to preserve one’s privacy when going online. By hiding the endpoint’s true IP address and location, the user can circumvent various censorships and geographical blockades. Ever since Russia invaded Ukraine, its government blocked its citizens from accessing western media outlets, which triggered an enormous spike in VPN downloads in the country.
VPNs are also very popular in China, where people use it to bypass the Great Firewall of China.