News

UFO VPN leaks database again; gets taken over & destroyed by hackers

UFO VPN was caught saving and leaking user logs despite complaining strictly no-log policy.

A few days ago Hackread.com covered an incident in which it was reported that UFO VPN was collecting user logs despite claiming to have a zero-logs policy and at the same time had exposed their database far and wide for attackers to see.

Although the database was secured later on 15th July due to efforts from security researchers, there’s another update. On July 21st, it was discovered that the UFO VPN database surfaced online again on the Internet with a different IP address containing larger and more recent user records.

Latest: 7 VPN firms with no-logs policy end up exposing 1.2 TB of user data

However, this time UFO VPN wasn’t so lucky in getting time to secure the leaked records as attackers took initiative and destroyed the entire database in an attack dubbed “Meow.”

Screenshot of the attack

Only a few records that were added recently can be seen still intact exposing the following data in the process which was also exposed earlier:

  1. Plaintext passwords
  2. IP addresses of the users and the VPN along with Geo-tags compromising user location
  3. Tokens of the VPN sessions
  4. Details pertaining to the user’s devices such as its OS.




Yet, this is not all. Excluding UFO VPN, 276 databases hosted on MongoDB and 1269 on Elasticsearch have also been compromised resulting in their deletion. For instance, this is the third time for MongoDB to be attacked, the first one being on 2nd July when about 47% of MongoDB databases were hacked and the second one on 10th July when the data of 188 million users was exposed.

Screenshot of a ransom note on one of the hacked MongoDB databases.

However, the latest incident involving UFO VPN was also confirmed to Hackread.com by Bob Diachenko, Cyber Threat Intelligence Director at SecurityDiscovery, who said in an email that,

“Seems like they have mismanaged to migrate the database on another server/IP and the same configuration issue happened thus exposing not only previously seen data but also newest ones, access logs dated Jul 20 (the day of the reappearing). Meaning that all other’s VPN databases got exposed.

To conclude, we do not know of the motives behind the attacker’s actions but just like the various attacks we’ve observed over the past few years, these too have occurred because of the gross negligence on the part of the database owners.

It is always recommended to use strong passwords with 2FA on databases while encrypting all the data within as threat actors can automatically detect unsecured instances and attack them.

Moreover, users are advised to thoroughly investigate the security protocols a company takes before using their service or perhaps, even doing business with them.

To Top

Pin It on Pinterest

Share This