Exploit: Unsecured Database
UFO VPN: Virtual Private Network Host/ Provider
Risk to Small Business: 1.086 = Extreme
Users who were relying on VPN provider UFO for a safe, anonymous way to secure their communications and data got a nasty surprise this week. Researchers uncovered more than 20 million user logs from the company available on the Dark Web. It’s a double reputation blow for a VPN provider that claims to retain no login or usage information. The 894 GB database was reportedly hosted on an Elasticsearch cluster that was not even password protected. The data allegedly included plaintext passwords, IP addresses, timestamps of user connections, session tokens, device information, and user operating system types, along with geographical information in the form of tags.
Individual Risk: 1.910 = Severe
Anyone who has used the service for a VPN should be concerned about compromise, spear phishing, identity theft, blackmail, or fraud connected to this event.
How it Could Affect Your Customers’ Business: Securing a remote workforce can be complex, especially as communications tools become more easily compromised, like messaging and SMS text. One common security measure that companies take when setting up for remote work is encouraging staffers to connect through a VPN. Failing to adequately investigate the safety record of that VPN provider could create additional risk instead of decreasing it.