29 May 2023

Free VPN provider SuperVPN exposes 360 million user records


Free VPN provider SuperVPN exposes 360 million user records

SuperVPN, a popular free VPN service provider, has suffered a massive data breach exposing more than 360 million user records.

VPNMentor researcher Jeremiah Fowler has found a non-password protected database belonging to SuperVPN.

In total, 133GB of sensitive data including user email addresses, original IP addresses, and geolocation information is said to have been exposed in the leak. Additionally, the exposed details included secret keys, Unique App User ID numbers, and UUID numbers.

The records also contained information on phone or device model, operating system, internet connection type, VPN app version, as well as refund requests from customers.

“The same Super VPN’s customer support emails were also linked to Storm VPN, Luna VPN, Radar VPN, Rocket VPN and Ghost VPN (not to be confused with CyberGhost VPN). In addition, references to these VPN provider names were found inside the database. At this point, it is not possible to determine if these VPNs are owned by the same company,” the report reads.

The researcher noted two apps named SuperVPN on Apple’s AppStore and Google Play, listed under two separate developers with connection to China. Qingdao Leyou Hudong Network Technology Co. was the developer behind SuperVPN for iOS, iPad, and macOS, while SuperSoft Tech developed the second app with the same name. VPNMentor reached out to both companies but never received a reply. However, the database was secured after the breach was reported to the vendor via available email addresses associated with both apps.

Back to the list

Latest Posts

Cyber Security Week in Review: June 14, 2024

Cyber Security Week in Review: June 14, 2024

In brief: Arm warns of actively exploited Mali GPU zero-day, Microsoft delays the release of its AI-powered Recall feature, and more.
14 June 2024
TellYouThePass ransomware weaponizes recently patched PHP flaw

TellYouThePass ransomware weaponizes recently patched PHP flaw

Imperva identified several campaigns exploiting the CVE-2024-4577 vulnerability.
13 June 2024
Ukraine neutralizes bot farms involved in hacking Ukrainian soldiers’ phones

Ukraine neutralizes bot farms involved in hacking Ukrainian soldiers’ phones

Additionally, the bot farm was used to spread Russian fake news.
13 June 2024