A cybersecurity researcher has discovered an unprotected database linked to SuperVPN with the personal data of millions of users. According to Jeremiah Fowler, co-founder of Security Discovery, the 133 GB database contained up to 360 million records, including sensitive data like IP addresses and emails.
This is the second major data breach linked to SuperVPN. In May 2022, researchers found 10 GB of leaked data from SuperVPN and other free VPN providers circulating on Telegram. The leak affected up to 21 million users.
SuperVPN is a free VPN app available on Google’s Play Store and Apple’s App Store. It has been downloaded over 100 million times on the Play Store. The app was deemed unsafe in 2016 when it had just 10,000 downloads. In 2020, Google removed SuperVPN from the Play Store after researchers discovered it had multiple security vulnerabilities.
Leaked Data Includes Sensitive Information
In a report on vpnMentor, Fowler said the exposed database includes sensitive data like email addresses, IP addresses, geolocation data, websites visited, server usage records, secret keys, app ID numbers, UUIDs, and phone or device model data. Ironically, SuperVPN claims it does not log user data.
Cybercriminals can take advantage of such data in nefarious schemes like identity theft. It can also allow threat actors to launch convincing phishing attacks and other cyberattacks.
While app stores have security policies to protect users, some malicious apps may slip through. Google’s Play Store is much larger and is thought to have less stringent security standards. However, researchers have also found potentially dangerous apps on Apple’s App Store.
Cybercriminals have devised various ways to bypass app store reviews, including updating their apps with malicious code after they’re approved.
How to Spot Unsafe VPN Apps
SuperVPN is listed under different developers on Apple’s and Google’s app stores. The app developer on the App Store is Qingdao Leyou Hudong Network Technology Co. But, on the Play Store, SuperSoft Tech is listed as the developer. It’s unclear if both names represent the same entity.
SuperVPN is one of the free VPNs we highlight as unsafe in our article about the best free VPNs. Like many free VPNs, SuperVPN is known to collect user data — some providers share this data with third parties to generate revenue.
To avoid compromising your privacy, we recommend only choosing VPNs that undergo frequent independent security audits. We’ve tested dozens of VPNs. You can learn about our top picks in our article about the five best VPNs.
It’s also important to use an antivirus solution with real-time protection to flag unsafe apps and read about the developer of any app you wish to download.
