A large database containing 21 million user records is offered for sale on a hacker forum. According to Cybernews, the data allegedly comes from three different Android VPN services – SuperVPN, GeckoVPN, and ChatVPN.

Among the three, ChatVPN has a fairly small user base with 50,000+ installs, while GeckoVPN and SuperVPN boast more than 10 million and 100 million users respectively.

The database put up sale contains three archives which include a variety of data, such as email addresses, usernames, full names, country names, randomly generated password strings, payment-related data, premium member status and its expiration data, as well as device information including device serial numbers, phone types and manufacturers, device IDs, device IMSI numbers.

According to the seller, the data has been exfiltrated from publicly available databases that were left vulnerable by the VPN providers due to developers leaving default database credentials in use. At the time of writing, it is not clear if the seller’s claims are valid or not as SuperVPN, GeckoVPN, and ChatVPN have yet to confirm or deny the data leak.

“If the data sold by the threat actor is genuine, it appears that the VPN providers in question are logging far more information about their users than stated in their Privacy Policies,” CyberNews noted.