Lead researcher Noam Rotem said his team found entries within the exposed database that contained personal details about users, such as email addresses, home addresses, clear text passwords, IP addresses and other identifying information.
“The lack of basic security measures in an essential part of a cybersecurity product is not just shocking, it also shows a total disregard for standard VPN practices that put their users at risk” he said.
Some of the VPNs also offer premium services for a fee – the researchers claim they were also able to view logs of people subscribing to them with some payment information.
Nine News has viewed screen grabs of redacted registration logs – including one belonging to a user based in Australia.
It appears the apps on the exposed server share a common Hong Kong-based owner and developer.
Spokespeople for UFO VPN and Fast VPN issued nearly identical statements in response to questions about the breach: “Due to personnel changes caused by COVID-19, we’ve not found bugs in server firewall rules immediately, which will lead to the potential risk of being hacked. And now it has been fixed”.
The companies also claimed they didn’t collect all the types of data that the researchers say they found.
Mobipotato – the company representing FastVPN – confirmed the server was at risk from June 29 to July 13.
The other companies did not respond to requests for comment, and the contact email provided for RabbitVPN bounced back.
Technology expert Trevor Long said internet users should avoid free VPN services.
“VPNS are an excellent and highly recommended way of ensuring your security especially when you’re on a public wifi network or operating remotely from your home or office, but you need to trust a bigger VPN company,” he said.
“This is kind of like car insurance, you need to pay for your VPN, it should be a small subscription fee each month.”
“For VPNs to become unsecure by someone being able to access their information at the other end, it ruins the whole purpose of a VPN.”
Get our Morning & Evening Edition newsletters