On October 12, researcher Bob Diachenko tweeted:
Since Fri I’ve been trying to get in touch with someone from ActMobile [@ActMobile] to responsibly alert that their VPN userbase (45M+) info (email, pwd, IPs, devices etc) is exposed to public but no luck. Incl. but not limited to @DashVPN, https://t.co/sdN3byHNcJ. Anyone?
— Bob Diachenko (@MayhemDayOne) October 12, 2021
Apparently he eventually got a response, but it was not what one would hope for. On October 30, Bob provided an update from ActMobile, claiming that “We do not maintain databases, so whatever is referenced is false. If you write about us we will take action.”
And in pre-final, Halloween-ish twist of DashVPN/FreeVPN.org data exposure event… pic.twitter.com/RE4DzKq0Gx
— Bob Diachenko (@MayhemDayOne) October 30, 2021
As you might guess, the threat to “take action” against a whitehat researcher who had been trying to engage in responsible disclosure to no avail did not sit well with researchers and journalists who read Bob’s tweets (including this blogger, who has known Bob and collaborated with him occasionally since 2015 or so).
But Bob’s tweets also did not sit well with @Pompompur_in on Twitter, who took to his blog to reveal what he had discovered about the databases and leaks ActMobile had denied. Pompompur_in writes (any typos are in the original):
Lets prove that Actmobile was indeed breached really quick, to clear any doubt some people might have. While being rude to a Whitehat security researcher after they disclose a critical flaw might not get your data leaked, he’s not the only one who found the server 🙂
Although Bob Diachenko would never leak data in retaliation for ActMobile or any entity not responding to responsible disclosure, Pompompur_in is not a whitehat researcher.
Pompompur_in then preceded to produce screencaps of the files he had found and exported, and the configuration of a MongoDB installation that appears to be ActMobile’s. But then Pompompur_in really drives the point home, first quoting from ActMobile’s privacy policy in response to the question “What information do we collect?” and then providing data from a table:
“None, We do not collect any information of our users before, during, or even after using our app or service. We believe in 100% privacy for all our users.”
>Table “portal_api_device” has entered the chat.
The following is just one record from the table:
{“_id”:”ADV-9215fa99-2797-c071-1111-11111111″,”last_updated”:{“$date”:”2021-05-15T23:59:35.932Z”},”balance_bytes”:-1,”ip”:”85.109.223.89″,”app_id”:””,”fastest_region”:”EU”,”user_id”:{“$oid”:”57397471d3c41405b2c7bbde”},”recent_country_code”:”TR”,”os_version”:”1.0″,”latitude”:”00040.0000000000″,”app_version”:”3.032″,”license_state”:”spon”,”added”:{“$date”:”2016-02-25T12:02:01.260Z”},”ad_id”:null,”has_rolling_trial”:false,”is_active”:true,”last_notif_sent_ts”:-1,”_Device__dashboard_instructions”:”{}”,”longitude”:”00036.0000000000″,”device_name”:”etab5″,”vpn_ip”:”10.2.80.203″,”license_expiry_ts”:{“$numberLong”:”2528020353″},”model”:”Android Phone”,”os”:”android”}
Is that IP address, device name, and location data in there, too? Do people ever use their real names as part of device names? Isn’t at least some of that personal information?
You can read Pompompur_in’s full report and post on his blog.
Bob Diachenko has not released his own report yet, which will probably including a finer analysis of what kinds of data types and how many of each Bob found in the exposed data. He has already indicated that their 45+ million user database for VPN was exposed and that it contained emails and passwords.
As to ActMobile, they now have some additional problems to address, not the least of which is the fact that they didn’t respond to responsible disclosure to secure their data and they had what this site considers to be the incredibly bad judgement to try to threaten an established researcher. Yes, researchers can make mistakes (and so can journalists), but ActMobile’s response will likely infuriate consumers who read Pompompur_in’s or Bob’s reports, and consumer anger will likely lead to requests to regulators to investigate whether ActMobile has deceived the public or violated any data protection laws here or in the EU.
And since non-public communications suggest that the ActMobile data are already in a few people’s hands, so don’t be surprised if the data shows up on any leak site.
Updated 1:52 pm. It seems it has already been leaked on a popular forum. DataBreaches.net has reached out to ActMobile to request a statement or response and will update this post when one is received.