Several VPN apps leaked user data

A server configuration oversight caused data from SuperVPN, GeckoVPN, and ChatVPN users to leak online. It’s now for sale on a hacker forum.

The data of millions of SuperVPN, GeckoVPN, and ChatVPN users is now available on a hacker forum

For sale: Databases of user information stolen from three VPN apps for Android. Location: A popular hacker forum (unnamed).

According to CyberNews, the three databases contain the data of 21 million people, leaked by SuperVPN, GeckoVPN and ChatVPN. At the time of this writing, SuperVPN had more than 100 million downloads on Google Play, GeckoVPN more than a million, and ChatVPN more than 50,000.

The data for sale includes e-mail addresses and passwords (hashed for the first two services and in plaintext for ChatVPN), as well as users’ full names and information about country and payments. One of the databases additionally contains device serial numbers and IDs. Users’ IP addresses were not leaked.

Ad on a hacker forum offering SuperVPN, GeckoVPN, and ChatVPN user data. Source: Cybernews.com

Ad on a hacker forum offering SuperVPN, GeckoVPN, and ChatVPN user data. Source: Cybernews.com

The seller admitted to taking advantage of a configuration error that left the VPN providers’ servers accessible using default usernames and passwords.

This isn’t SuperVPN’s first turn in the headlines for the wrong reasons. In July 2020, researchers at VPNMentor discovered 1.2TB of logs leaked from several VPN providers, including SuperVPN. The current incident represents the first time for the two other apps, GeckoVPN and ChatVPN — at least, as far as we or the public is aware. Another reputable source, Have I Been Pwned?, confirms the incident.

Virtual private networking is a fundamental technology for safe Internet surfing, but not all VPNs are equally strong. Keeping reliability and attention to user safety and privacy top of mind, we put together a guide to choosing the right VPN for you.

Tips