SuperVPN, a popular free VPN service provider, has suffered a massive data breach exposing more than 360 million user records.

VPNMentor researcher Jeremiah Fowler has found a non-password protected database belonging to SuperVPN.

In total, 133GB of sensitive data including user email addresses, original IP addresses, and geolocation information is said to have been exposed in the leak. Additionally, the exposed details included secret keys, Unique App User ID numbers, and UUID numbers.

The records also contained information on phone or device model, operating system, internet connection type, VPN app version, as well as refund requests from customers.

“The same Super VPN’s customer support emails were also linked to Storm VPN, Luna VPN, Radar VPN, Rocket VPN and Ghost VPN (not to be confused with CyberGhost VPN). In addition, references to these VPN provider names were found inside the database. At this point, it is not possible to determine if these VPNs are owned by the same company,” the report reads.

The researcher noted two apps named SuperVPN on Apple’s AppStore and Google Play, listed under two separate developers with connection to China. Qingdao Leyou Hudong Network Technology Co. was the developer behind SuperVPN for iOS, iPad, and macOS, while SuperSoft Tech developed the second app with the same name. VPNMentor reached out to both companies but never received a reply. However, the database was secured after the breach was reported to the vendor via available email addresses associated with both apps.