Free VPN software provider BeanVPN has reportedly left almost 20GB of connection logs accessible to the public, according to an investigation by Cybernews.
The cache of 18.5GB connection logs allegedly contained more than 25 million records, which included user device and Play Service IDs, connection timestamps, IP addresses and more.
Cybernews said it found the database using an ElasticSearch instance during a routine checkup, which the company has now reportedly closed.
Still, if picked up by malicious actors, the information could be exploited to de-anonymize and thus identify BeanVPN’s users and their approximate location.
“The Play Service ID could also be used to find out the user’s email address that they are signed in to their device with,” explained Aras Nazarovas, a security researcher from Cybernews.
According to the VPN provider’s website, however, its privacy policy clearly states they don’t collect logs of user activity, “including no logging of browsing history, traffic destination, data content or DNS queries.”
The privacy policy also says BeanVPN does not collect IP addresses, outgoing VPN IP addresses, connection timestamps or session durations.
These claims would starkly contrast with the information allegedly obtained by Cybernews, which would essentially contain all user data BeanVPN says it does not collect.
The company has not immediately responded to Infosecurity Magazine’s request for comment on the matter, and we will update this article with any relevant information as soon as it becomes available to us.
VPNs are useful tools to increase one’s privacy and security posture. However, according to Etay Maor, senior director of security strategy at Cato Networks, they may be witnessing a reduction in adoption rates for several enterprises because of various post-pandemic trends.