VPN Provider's Misconfiguration Exposes One Million Users
At least one million users of a Chinese-run VPN service have had their personally identifiable information (PII) exposed due to a misconfigured Elasticsearch server, Infosecurity can reveal.
The privacy concern affects Quickfox, a free VPN used mainly by the Chinese diaspora to visit sites otherwise inaccessible from outside mainland China, according to reviews site WizCase.
Unfortunately, Quickfox owner Fuzhou Zixun Network Technology had not adequately configured its Elastic Stack security, leaving an Elasticsearch server exposed and accessible – with no password–protection or encryption enforced.
The 100GB trove found by the researchers contained 500 million records, including PII on one million users and system data on 300,000 customers. WizCase told Infosecurity that the server has yet to be secure.
The exposed PII included customers’ emails, IP addresses, phone numbers, details to identify device type, and MD5 hashed passwords. WizCase warned that MD5 is itself far from secure and can be cracked by modern technology.
This would have been enough for fraudsters to follow up with phishing emails, vishing phone calls and other tactics designed to elicit further sensitive information like credit card or bank details.
“The leaked information about device type and installed software could