This free VPN leaked data from millions of users online - find out if you’re affected

Breached SuperVPN data includes original IP addresses, geolocation details and visited websites

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A popularfree VPNservice has accused of leaking over 360 million user data records online.

SuperVPN’s breach includes a staggering amount of people’s sensitive information, including email addresses, original IP address, geolocation records, unique users' identifiers, references to visited websites, and more.

With the service counting over 100 million downloads worldwide across theGoogleandAppleapp stores, the expert who investigated the incident believes it should “serve as a wake-up call” for users about the need to choose a trustworthyVPN serviceinstead.

SuperVPN risks

“As more people around the world care about data privacy or try to bypass censorship they often use aVPN. This is a prime example of what data could be captured, shared with governments, or exposed in the event of a data breach,” Jeremiah Fowler, the cybersecurity researcher who discovered andreported on the breached database, told TechRadar Pro.

Fowler discovered a publicly exposeddatabase linked with the SuperVPN app containing 133 GB of data, including personal user information such as IP location, servers used and Unique App User ID numbers as well as details about user online activities, device model,operating systemand refund requests.

After reaching out to the available email addresses associated with both the iOS andAndroid VPNapp versions, the database was closed without any explanation.

The move is especially concerning as the SuperVPN app was, in fact, trending on Twitter “as recently as last week when Pakistan blocked social media,” Fowler told us.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Another reason to worry comes by looking at the ownership behind SuperVPN. In his report for VPNMentor, Flower observed how the app is listed under separate developers on the two different app stores despite having exactly the same name and two very similar logos.

OnGoogle Play, SuperVPN is credited to SuperSoft Tech. While, SuperVPN for iOS, iPad, and macOS is said to be developed by Qingdao Leyou Hudong Network Technology Co. Among the leaked files, Fowler could even find references to another company named Changsha Leyou Baichuan Network Technology Co.

“All appear to have connections to China, and notes inside the database were in the Chinese language,” he confirmed, arguing that all indications point to Qingdao Leyou Hudong Network Technology Co. as the owner of the public database exposing SuperVPN’s user data.

The malicious behavior continues and there’s not much you can do about it

Neither company responded to any requests for comments, nor provided any information about their ownership and location on their websites - a move which, according to Fowler, raises “concerns about the transparency and security of these free VPN services.”

This isn’t the first time that SuperVPN has alarmed cybersecurity experts. In 2020, users were warned todelete this VPNas it was putting million ofVPN users at risk of hacking. SuperVPN was also identified as dangerous in 2016, when an Australian researchers found it guilty of being one of the most malware-rigged VPN apps around.

How to avoid unsecure VPNs

Sadly, this incident is one of a series of instances that show the risks of using an unsecure VPN service to protect online data. That’s especially troubling asinternet shutdownsare on the rise and, subsequently, people in dire need of security and circumvention tools on a very limited budget.

“This incident serves as a wake-up call for anyone who uses a VPN to understand why choosing a trustworthy and reputable service is important for your privacy in more ways than just your internet activities,” said Fowler.

Fowler suggests looking out for these red flags before signing up for a VPN service:

For those after a reliable free service, our favorite at the moment isPrivadoVPN. Elsewhere, some providers, includingSurfshark, offer premium accounts for NGOs, activists and journalists living under restricted internet freedom.

It is also worth noting that many premium services are way far from being described as asecure VPN—SuperVPN included as it also sells paid subscriptions, in fact.

“The narrative is not limited to free VPN—it’s about companies that do not care about privacy,“Hide.me VPNCEO Sebastian Schaub told TechRadar Pro.

“If you have a Chinese player with zero trust records, no corporate history, no public leadership and suspicious looking apps, I’d call for greater oversight on how they are even able to participate in the marketplace. Apple and Google should enforce the disclosure of which data is being processed and stored, and then inform the users.

“I’d say it’s a rather grim outlook—the malicious behavior continues and there’s not much you can do about it until big corporations limit the visibility of shady apps.”

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics