Cybersecurity researchers have found an unprotected database weighing over 100GB that contains more than 300 million records including all kinds of personally identifiable information (PII) of VPN users.
Digging through the database, Comparitech researchers who found the database noticed several indications that suggest that the data belongs to ActMobile Networks, who operate Dash VPN, FreeVPN.org, and Dash Net Accelerated VPN, among others.
However, ActMobile has categorically denied ownership of the data, saying it “does not maintain databases” in an emailed response to Comparitech.
Meanwhile, the researchers note that after it was first spotted, the data has since been leaked on several other hacker forums, thereby increasing users’ risk of attack.
Dangers of exposed data
According to the researchers, the leaked data can be broadly classified into three categories.
There are 45 million records that include user account details such as email addresses, full names, and encrypted passwords. Then there are 281 million user device info records, which include IP address, country code, connection type (WiFi or mobile), device and user ID, and accelerator ID. Finally, there are six million purchase records, with details of product purchased, and receipts.
Thankfully, the database has no credit cards or other payment related information.
“The exposed data poses a serious risk to users whose personal information was exposed. The data could be used to launch phishing attacks and, if the passwords are compromised, account takeover and credential stuffing. The data could also be used to track VPN users by their devices’ IP addresses,” notes Comparitech.
Following the denial, Comparitech took additional steps to verify the data’s legitimacy, only to discover further proof that contradicts ActMobile’s claim. In any case, the researchers suggest that users should be on the lookout for targeted phishing messages purportedly from ActMobile, its brands, or related companies.
Protect yourself against online scams by shielding yourself with these best identity theft protection services