Share this analysis

21 million mobile VPN app user data swiped and advertised for sale.

08 May 2022
BREACHAWARE HQ
21 million mobile VPN app user data swiped and advertised for sale.

A total of 13 breach events were found and analysed resulting in 24,556,799 exposed accounts containing a total of 9 different data types of personal datum . The breaches found publicly and freely available included Gecko Super VPN, GoGames, Y Can Tho, Xfinity and Wintip. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Categories of Personal Data Discovered

Contact Data, Technical Data, Usage Data, Locational Data.

Data Breach Analysis

A notable inclusion is Gecko Super VPN, part of a broader category of virtual private network (VPN) services that users often rely on to maintain online anonymity and secure their browsing activity. A breach involving a VPN provider undermines a fundamental promise of privacy. While users typically trust these services to shield their internet activity from prying eyes, a data exposure event introduces concerns around surveillance, user location, and browsing pattern leaks, issues that are particularly critical for individuals in restrictive regimes or under corporate or political scrutiny.

GoGames, representing the online gaming sector, also features in this analysis. Gaming platforms often collect not just usernames and email addresses but also behavioural data, in-game purchase records, and connected social media profiles. Younger users, who make up a significant share of this audience, may be especially vulnerable to exploitation, including account hijacking, scams, or exposure to inappropriate content if their credentials are compromised.

The breach list also includes Xfinity, a major telecommunications and internet service provider in the United States. Xfinity’s customer base includes millions of users who entrust the company with sensitive information ranging from billing details and service addresses to streaming history and connected devices. Any data leak involving such a provider elevates the risk profile significantly, as it could be leveraged in targeted phishing campaigns, social engineering, or broader identity theft schemes.

Y Can Tho, likely referencing a Vietnamese regional telecom or service provider, introduces a localised dimension to the breach landscape. While not as globally recognised, regional providers often maintain essential infrastructure within their countries or communities, and any compromise to their customer data can carry real-world consequences, particularly in areas with fewer consumer protection or data notification laws.

Wintip, though less well-known, underscores how smaller or niche platforms are not exempt from cyber threats. Whether the site is related to e-commerce, gambling, or entertainment, it adds to the growing list of platforms breached due to poor data governance or outdated security measures. Smaller businesses are often targeted precisely because they may not have the resources to implement robust cybersecurity controls, making them attractive targets for attackers seeking easy access to personal data.

In aggregate, the exposure of over 24 million accounts in just 13 breaches highlights the persistent and evolving nature of digital threats. The intersection of consumer tech (like VPNs and gaming) with critical infrastructure (telecom and internet providers) suggests a systemic vulnerability that crosses both user expectations and institutional responsibilities.

From a user perspective, the risks include potential unauthorised account access, spam, phishing attacks, and broader identity theft. For businesses, the stakes are even higher, ranging from regulatory fines and legal action to reputational damage and customer attrition. The involvement of platforms with both regional and international user bases also highlights the challenges of enforcing consistent cybersecurity standards across borders and industries.

This analysis underscores the need for ongoing vigilance in the digital space. For users, that means monitoring account activity, avoiding password reuse, enabling multi-factor authentication, and minimising personal data shared online. For companies, it reinforces the importance of security-by-design, timely patching, data encryption, and clear incident response protocols.

Ultimately, as breaches increasingly target both expected and unexpected platforms, public trust in digital systems remains vulnerable, and restoring it requires transparency, investment, and a shift from reactive to proactive security strategies.

Spotlight

An article this week by The Daily Swig reported a data breach on a USA regional Utility Company. What prompted our interest? Within the data types exposed were card CVVs. We do not often see CVV data types as they are considered 'Sensitive Authentication Data' and are therefore subject to PCI-DSS Compliance.

The Payment Card Industry - Data Security Standard (PCI-DSS) requirement 3.2 states that Sensitive Authentication Data can never be stored after authorisation is completed. This means that the data can be collected for the purposes of authorising a payment transaction, but must be deleted once authorisation is completed. Encryption of this data is not sufficient; all data must be securely deleted so that it is unrecoverable. (Source: globapayments Intergrated and highlighted by Michael Smith, Cyber Security Consultant, Washington).

An older breach has started to circulate on the underground forums, a combo list of free VPN Services; GeckoVPN, SuperVPN and ChatVPN where 21 million mobile VPN app users were swiped and advertised for sale in early 2021. This data is now free to download on various forums so the assumption is that hackers have exploited the commercial value of this data hence its free availability.

Advertising companies have had several notable data breaches in the past few years, but this recent 250GB dump is definitely a formidable one. We are currently assessing the data and whether it is linked to a previous breach.

The company in question analyses and sells customer and business data with a large variety of datasets included in this breach, along with some datasets we don’t see every day such as recent mortgage interest rates and whether a person owns a computer.

A second Nestle data list of individuals, we assume from groups targeting western companies still operating in Russia, was uploaded, together with a tech forum, education, oil industry and retail domains.

  • Key Stats
  • BREACH EVENTS
    0
  • EXPOSED ACCOUNTS
    0
  • EXPOSED DATUM TYPES
    0