After the SuperVPN data leak, how do you choose a safe VPN?
In February the online security world was rocked by a report that 21 million user records were up for sale on a hacking website.
The records included sensitive device data, logins and PPI (Personally Identifiable Information). Other details that could enable identity theft, phishing, fraud or account hijacking were also disclosed. The most alarming part of the report was the revelation that the hacked data was taken from free VPN providers. SuperVPN, the most popularly downloaded free VPN on Android devices, was one of them.
This shocking data leak is particularly alarming for Australians.
The privacy concerns that make Australians particularly vulnerable to bad VPNs
Australians are extremely vulnerable to bad players in the VPN space because we are such heavy users of VPNs. In fact, from 2017 onwards we have been the country with the fastest VPN take-up in the world.
Why? You may remember back in 2017 the federal government forced through its heavily debated and criticised data retention law?.
The law requires ISPs to log 2 years of your internet activity metadata – details such as who you communicate with, when, and your device details. Despite assurances that logs of websites visited would not be kept, in practice this has turned out not to be true.
Human rights advocates are seriously alarmed by the erosion of online privacy that the law initiated, as the government introduces more and more ways to record and intercept citizen’s data. Last year, the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 increased government powers to intercept and monitor network activity.
Recently, the Commonwealth Ombudsman found that Australian police and regulators have been unlawfully accessing private metadata collected under the data retention law. There are questions as to what the data will be repurposed for and who it will be used by in the future.
Meanwhile, 54% of Australians are unsure of, or outright against, our government using our personal details for policymaking.
Australians rely on VPNs as a legal methodof keeping our metadata and online life private. A VPN acts as a shield from ISP activity logging, keeping your online life out of the Australian government’s eye. Privacy concerns are not the only reason Australians have turned to VPNs, but they have contributed to their widespread use since 2017. This makes Australians uniquely vulnerable to bad actors in the VPN space.
The SuperVPN data leak that exposed 21 million people to cybercrime
In February, three databases of user login credentials appeared for sale on a popular hacking website. The data included login credentials such as email addresses, usernames and passwords, PPI such as full names and country of residence, password strings that possibly allowed access to user’s Google Play accounts, and payment information.
The data turned out to be taken from three highly popular free VPN products used on Android devices.
SuperVPN, GeckoVPN, and ChatVPN users had their data fleeced and advertised for sale. The popularity of these free VPN products can’t be understated: SuperVPN had over 100 million installs (GeckoVPN had 10 million and ChatVPN 50,000).
The data on offer showed that the free VPN providers were logging more data than their privacy policies said they would.
The data breach highlighted the danger of free and popular VPN products, which can have high feedback ratings and large numbers of positive reviews on download platforms. User comments on these platforms often do not reflect what professional reviewers know about a software product’s history.
Those who turn to trusted sources for VPN news and reviews would have known that SuperVPN was also identified as a security risk in 2020. In July of that year, SuperVPN and related free VPN products exposed 1.2 terabytes of user information, logged against the application’s privacy policies, to abuse. At that time it was discovered that several other free VPNs shared a server with SuperVPN and were likely owned by the same company.
The free VPNs to Avoid
As well as SuperVPN, GeckoVPN and ChatVPN, there are several free VPNs related to SuperVPN to avoid. They appear to be owned by the same company that operates SuperVPN, and use the same servers. Here is the complete list.
– UFO VPN
– FAST VPN
– FREE VPN
– SUPER VPN
– Flash VPN
– Secure VPN
– Rabbit VPN
These VPNs have all been found to keep PPI, user data and activity logs. They have all been involved in data breaches.
How to choose a safe VPN that maintains security and won’t log your data
Bad actors in the VPN space are likely to continue to prey on the uninformed, yet going without a VPN is not a solution.
The pandemic has only contributed to shifting more of our lives online. Our movements, habits, preferences, relationships, political leanings and thoughts are increasingly readable in our data. Government surveillance of our time online becomes increasingly Orwellian under these circumstances. ISP logging and tracking, as well as unexpected or illegal access to those logs, are still issues of concern. Australians date, shop, gossip and think in a mode that feels private when alone with our devices. Without a VPN, that is not the case.
Using a VPN holds your data back from ISPs, is legal, and helps prevent cybercrime – as long as you choose a VPN that genuinely does not keep logs of your activity. A VPN must also offer strong encryption, prevent IP and DNS leaks, and maintain secure servers.