Cyber Incident Victim: UFO VPN

The UFO VPN incident began with the exposure of a misconfigured database that contradicted the service's claimed no-log policy. Security researchers initially identified and secured the vulnerable database on July 15, 2020, after discovering it contained sensitive user records. On July 21, the database reappeared online at a different IP address with expanded records, including more recent user data up to July 20. Attackers swiftly exploited this renewed exposure through a "Meow" attack that destroyed most of the database infrastructure, leaving only fragmentary recent records intact. The compromised information included plaintext user passwords, originating and VPN IP addresses with geolocation data, active session tokens, and device operating system details. This marked the second exposure incident for UFO VPN within a week, with the later breach containing both historical and newly generated user data.

The attack coincided with broader campaigns targeting unsecured databases, affecting 276 MongoDB instances and 1,269 Elasticsearch systems during the same period. Security researcher Bob Diachenko confirmed to Hackread.com that UFO VPN's database reappeared due to mismanaged server migration efforts that replicated the original configuration errors. The destruction of records prevented full forensic analysis of the complete dataset scope, though available evidence confirmed continuous logging of user activities contrary to policy claims. No legitimate containment efforts by UFO VPN were documented following the second exposure before the attackers destroyed the database. The incident permanently compromised authentication credentials, device information, and session data for an undetermined number of users while demonstrating systemic security failures in UFO VPN's infrastructure management.