Seven different VPN service providers collected and logged user information in violation of their "no logging" policy, leaving over 1TB of user data belonging to 20 million users unprotected on open cloud servers for anyone to find. The data was left unprotected on an open cloud server where anyone could find it.

The exposed data included usernames, plain-text passwords, connection logs, and website visit history.

The seven less than spectacular services--Fast VPN, Flash VPN, Free VPN, Rabbit VPN, Secure VPN, Super VPN, and UFO VPN--appear to be owned by the same company or using the same third-party "white label" VPN infrastructure. With the exception of UFO VPN, the websites of all the services are remarkably similar. All appear to be based in Hong Kong.

Last week, widely used VPN providers Private Internet Access and TunnelBear announced that they are shutting down operations in Hong Kong due to new laws that give Chinese authorities more power to spy on Internet users and seize their servers.

When you sign up for a virtual private network (VPN) service, especially one that claims not to record any usage data, you expect the service to keep your information private. But that doesn't seem to be the case here.

If you are using one of these VPN services, we recommend that you change your password for that service immediately and change the same password for any other accounts that you used to use that service.

You should also immediately stop using that VPN and consider asking the VPN provider some tough questions; Tom's Guide has reached out to Dreamfii HK, the parent company of UFO VPN, for comment.

Two different teams of security researchers found this user data online. The first was Bob Diachenko of Comparitech, who on July 1 discovered a server with 894 GB of UFO VPN data stored on it. Four days later, the VPNMentor team discovered the same server and noticed that it also contained data from six other VPNs.

Usernames, plaintext passwords, email addresses, home addresses, IP addresses, bitcoin data, PayPal payment data, connection logs, session tokens, location data, customer complaint logs, and website visit history, totaling over 1 billion pieces of data consisting of 1.2TB of data was exposed.

"The lack of basic security measures in a critical piece of cybersecurity product is not only shocking," the VPNMentor report states. It also completely ignores standard VPN practices that put users at risk."

VPNMentor's team created UFO VPN accounts and watched in real time as the accounts' personal information was exposed.

The logs showed that some users were accessing these VPNs from countries where the use of VPNs is illegal, including Iran. The public database could have put these users in physical danger.

Cybercriminals could have used the published usernames and passwords to hijack VPN accounts or launch credential-stuffing attacks on other services, assuming that many users reuse their passwords.

As is the case with most such public databases, there is no evidence that anyone other than computer researchers had access to this data. However, this particular server was indexed by a first-stage search engine on June 27, which means that it was listed as accessible for over two weeks.

The VPNMentor team immediately tried to contact the VPN provider, but received little response. A few days later, VPNMentor contacted the Computer Emergency Response Team (CERT) in Hong Kong, but was told that this was not a Hong Kong problem. Finally, on July 15, the database on the server was protected.

"Due to personnel changes caused by COVID-19, a bug in the server's firewall rules was not immediately found, leading to a potential risk of being hacked," UFO VPN said in a statement concurring with Diachenko and VPNMentor. 'And now it has been fixed. "

Of the seven services at stake, only UFO VPN appears to offer client software for PCs as well as mobile devices. The other, Super VPN, is mobile-only but, like UFO VPN, offers both free and paid plans.

The other five are mobile-only and appear to be completely free: Rabbit VPN, Secure VPN, Flash VPN, Free VPN, and Fast VPN.

Mobile-only free VPN providers are notorious for security holes, and Tom's Guide recommends against using completely free providers, and Tom's Guide recommends not using a provider that is completely free. As the old adage goes, if you are not paying for the service, you are the product.