Experts warn that virtual private networks are increasingly vulnerable to leaks and attack.
Free virtual private network (VPN) service Quickfox, which provides access to Chinese websites from outside the country, exposed the personally identifiable information (PII) of more than a million users in just the latest high-profile VPN security failure.
The incident has some security practitioners questioning whether VPNs are an outdated technology.
Researchers at WizCase discovered Quickfox misconfigured the VPN service’s Elasticsearch, Logstash and Kibana (ELK) stack security. The trio of programs helps manage searches, the report explained.
“Quickfox had set up access restrictions from Kibana but had not set up the same security measures for their Elasticsearch server,” according to the report. “This means that anyone with a browser and an internet connection could access Quickfox logs and extract sensitive information on Quickfox users.”
Quickfox users in China, Indonesia, Japan, Kazakhstan and the U.S. were affected, the researchers found, adding that a total of 500 million records and 100GB of data were exposed.
The leaked data fell into one of two categories, the report said — PII like emails and phone numbers — but also information about software on the devices of around 300,000