Security News > 2021 > October > VPN Exposes Data for 1M Users, Leading to Researcher Questioning
Free virtual private network service Quickfox, which provides access to Chinese websites from outside the country, exposed the personally identifiable information of more than a million users in just the latest high-profile VPN security failure.
Researchers at WizCase discovered Quickfox misconfigured the VPN service's Elasticsearch, Logstash and Kibana stack security.
"Data from the leak exposes the names of other software installed on the users' devices, as well as the file location, install date, and version number. It's unclear why the VPN was collecting this data, as it is unnecessary for its process, and it is not standard practice seen with other VPN services," the researchers said in the report.
Following spectacular VPN security failures like the Colonial Pipeline breach, and the leak of thousands of Fortinet VPN account credentials, the U.S. government decided to weigh in and issue guidance on hardening VPNs, including looking for a service with strong encryption and access management.
"IT professionals are challenged with getting employees to effectively use the technology. If the VPN is too difficult to use, or slows down systems, the employee is likely to turn it off. The challenge for IT professionals is to find a VPN solution that is fast and reliable so that employees turn it on once and forget about it."
"To combat employees not always using VPN connections, and provide another layer of security, administrators looked to requiring 2FA for more systems than they had before," he said.