Why ‘No‑Log’ VPNs Are Lying: Inside a 1.2 TB Data Leak of Seven Providers

Researchers from vpnMentor discovered a 1.2 TB data breach on a shared server used by seven VPN providers that advertise a strict no‑log policy. The exposed data includes personal identifying information (PII) for potentially up to 20 million users, such as email addresses, plaintext passwords, home addresses, and IP addresses.

In addition to PII, the server stored extensive internet activity logs, casting serious doubt on the providers' no‑log claims. The affected VPNs are UFO VPN, FAST VPN, FREE VPN, SUPER VPN, Flash VPN, Secure VPN, and Rabbit VPN. All seven services share a common development framework and application code, suggesting a white‑label solution where the same codebase is rebranded for different companies.

To verify the breach, researchers used the UFO VPN app, connected to various global servers, and monitored the traffic. Their activity was recorded in real time, capturing the account creation details (username and password) as well as device information, source IP, ISP, approximate location, device type, and unique device ID. The logs also revealed which VPN server the user connected to, including its region and IP address.

Impact and Recommendations

The exposure of these details poses multiple risks:

Compromised user credentials can lead to account takeover on other services where the same password is reused.

Detailed connection logs enable attackers to profile user behavior, location, and browsing habits.

Cyber‑criminals can leverage the data for targeted phishing and social engineering attacks.

Typical reasons users adopt VPNs include protecting communication security, accessing geo‑restricted content, bypassing IP‑based restrictions, and political activism. The breach undermines all these use cases.

Following responsible disclosure principles, the researchers reported the vulnerability to the VPN providers on July 5 and alerted Hong Kong’s Computer Emergency Response Team on July 8. The compromised servers were taken offline on July 15.

**Recommendation:** Users of the seven listed VPN services should consider switching to alternative providers with verifiable no‑log policies and should change passwords for any accounts that reuse the same credentials as the VPN services.