back to article Seven 'no log' VPN providers accused of leaking – yup, you guessed it – 1.2TB of user logs onto the internet

A string of "zero logging" VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet. This data, we are told, included in at least some cases clear-text passwords, personal information, and lists of websites visited, all for anyone to …

  1. DS999 Silver badge

    White label VPN service

    I suppose you can say "Alpha VPN Service doesn't keep logs" and aren't technically lying, even if you are reselling Beta VPN service which does. Heck, Alpha VPN Service might not even KNOW what sort of logging Beta VPN does, all the better for deniability.

    1. Maelstorm Bronze badge

      Re: White label VPN service

      To expand on that, if the reselling VPN provider uses multiple VPN vendors, each vendor could be logging different things. Then nobody would know who is logging what.

  2. Maelstorm Bronze badge

    In Soviet Russia, you do not log the VPN connections, the VPN connections log YOU.

    1. Anonymous Coward
      Anonymous Coward

      s/Soviet Russia/UK,USA,Australia,....../

      1. Imhotep

        Or Hong Kong-China in this case.

    2. Tail Up

      Up # двадцать девять.

  3. ecofeco Silver badge

    Oh FFS

    See title.

  4. Throatwarbler Mangrove Silver badge

    Duh, and also . . .

    Thinking about how VPNs work, this issue seems like it was going to crop up eventually. It's a question of trust: whoever owns the endpoint of your Internet connection has the ability to collect a ton of information about your Internet traffic. The average punter is sold on the notion that their traffic is "protected," but the question is, from whom? If you don't trust your ISP for whatever reason, then you need to make an informed choice about the VPN provider, as mentioned in the article. Unfortunately, it seems like a lot of people aren't familiar with the technical and security merits of the various providers, which leads me to my second point.

    The other use of VPN software is to make it appear that your Internet connection is somewhere different, e.g. the United States instead of Morocco. While there are free speech uses of this technology, other popular use cases are accessing media content that is region-locked or obfuscating BitTorrent traffic, and I think it's to the latter users that low-cost VPN providers primarily cater. Someone who is concerned about their ISP or government spying on them is more likely to pick a more carefully vetted VPN, while illicit users of Netflix and BitTorrent seem more likely to care primarily about superficially masquerading their location.

  5. David 132 Silver badge

    So, recommendations?

    Which VPN providers are trustworthy?

    I use Private Internet Access (PIA) based on recommendations here & elsewhere; anyone got solid evidence that I should switch?

    1. NetBlackOps

      Re: So, recommendations?

      They're the only one to prove in court that, at those times (of course), they don't keep logs. Which is why I've stayed with them. I certainly would never trust a free provider. I'd add ProtonVPN as a best alternative given their track record and domicile.

      1. julian.smith
        Thumb Up

        Re: So, recommendations?

        + 1 AirVPN

        They shut down all of their HK servers recently just after the Chinese takeover of HK

        Been with them for years

        Seem technically competent

        Never a breath of scandal

    2. tommitytom

      Re: So, recommendations?

      I also use PIA, but it's worth noting they recently got bought out by Kape technologies who have a history of embedding malware in their VPN software

      1. FatGerman Silver badge

        Re: So, recommendations?

        I stuck with PIA but I use it exclusively on an Ubuntu machine where I set the connection up manually, I never use their client software, but thanks for the heads-up.

    3. Anonymous Coward
      Anonymous Coward

      Re: So, recommendations?

      I am considering switching from CyberGhost to Mullvad. The latter doesn't even ask for your details (and also allows payment in cryptocurrency or cash, in an envelope).

      They support OpenVPN and WireGuard protocols, support IPv4 + IPv6 and have sorted out a lot of other tech stuff pretty well. They are sponsors of the TOR project and score pretty well in the VPN matrix of ThatOnePrivacySite.

      1. Anonymous Coward
        Anonymous Coward

        Re: So, recommendations?

        I did loads of research and moved from PIA after they were bought by Kape.

        I ended up with AirVPN. Loads of options, works with everything and speeds are exeptional.

        It seems that there's a huge industry in affiliate links so it's hard to evaluate each provider. I used ThatOnePrivacySite along with Tom Spark's YouTube channel to reach a conclusion.

      2. Anonymous Coward
        Anonymous Coward

        Re: So, recommendations?

        I was looking for the Mullvad plug. They are adding new servers frequently and have never asked for my information. Even if they do log (they say they don't and I believe it), there is no user data other than my ID that their servers ingress, and you can change your ID at any time and pay with crypto.

        There is no bandwidth or throughput limiting so my speeds are never impacted, they don't track how much you use anyway. Highly recommend,

        1. Hol314

          Re: So, recommendations?

          I went with Mullvad based on the thorough review by "That One Privacy Guy", who seems trustworthy... Still, I was comforted in my choice when I learned that Mozilla teamed up with Mullvad to offer their vpn service!

      3. Anonymous Coward
        Anonymous Coward

        Re: So, recommendations?

        +1 airvpn.

        I was with cyberghost, but they don't allow incoming connections, and switched off ip6 without warning, they said when I contacted them it was an upgrade, but it was still down weeks later.

    4. Aristotles slow and dimwitted horse

      Re: So, recommendations?


    5. Anonymous Coward
      Anonymous Coward

      Re: So, recommendations?

      Bought a VM in the country where I wanted the VPN, spooled up a copy of Debian, cooked my own. That still doesn't preclude traffic logging by the provider, but that's why you choose a decent country first and you can set up a few things on the box itself to mess up the statistics.

    6. JCitizen

      Re: So, recommendations?

      Check Point is the only one I'd trust, they kept the Chinese out of my network for five years, when the PRC finally gave up. I only used their hardware too.

      But if you are in Hong Kong, you might as well forget it; although if I were a protester, I'd have a plan to roll my own using friendly advice; and open source methods. None of the details, which I'd discuss in public anyway.

    7. Gandalf87

      Re: So, recommendations?

      Well, I think that you might want to revisit what your needs are before opting for one. For instance, (quoting my personal experience) I use Ivacy when it comes to my privacy and security. Its apps are ioXt certified and work flawlessly for streaming. I bought six months back when I came across TechRadar endorsing it for streaming functionality.

  6. W.S.Gosset


    That last tweet's note re dual-homing is hair-raising. That means you can get around a VPN user's firewall & NAT by simply signing up to their VPN service, then directly attacking their naked machine.


  7. quartzz

    any ideas on Vypr VPN? I spent more than a year subscriptions worth on 1 month trials of a few (6?) different VPN's. surfshark, vypr and one other (IVPN was almost useable) were the only ones I found even slightly useable. express, nord and cybervpn were virtually unuseable.

    my vypr connection seems to hang after a while, so I'm ending up not using my VPN much. I've found a VPN connection isn't suitable for general surfing, I only enable it when necessary. I suppose at some point in the 21st or 22nd century, these services might actually become regulated

    1. Flocke Kroes Silver badge

      Re: these services might actually become regulated

      Regulation = (Billing information + Complete logs → GCHQ)

    2. Anonymous Coward
      Anonymous Coward


      I use air vpn. Open vpn based client. Multiple exit nodes by country.

      I tried a few. The usual suspects as well as Relakks, SwissVPN. Air has been pain free.

      Different strokes for different folks. I use it on Linux, iOS and windows.

  8. eldakka

    Ah, so these aren't Virtual Networks that are Private. They are Networks that are Virtually Private.

  9. amanfromMars 1 Silver badge

    Harsh maybe but perfectly understandable, given the mountains of evidence freely available

    "The vast majority of companies that operate these services use patently false marketing, have very murky corporate provenance, and in some cases are literally run by convicted financial crime felons, so of course they will claim 'strong privacy and security' protections when in fact they offer neither," he continued.

    So, just exactly like Parliamentary and Presidential style democracies then which are forever reneging on fantastic election promises once feeling secure in executive office with even the slimmest of majorities/greater number of delinquent votes.

    If truth be told, they be as Ripe Rotten Skunk Works and therefore wholly unworthy of SMARTR* Futures Support.

    * .... SMARTR Mentoring Analysis Reporting Titanic Research

  10. StrangerHereMyself Silver badge

    It's pretty clear that China is forcing Hong Kong VPN providers to log everything and that their services are therefore moot.

    It's pretty shocking that these providers are logging passwords in plaintext as well, although I wouldn't be surprised if some big U.S. internet giants do this as well.

    1. Anonymous Coward
      Anonymous Coward

      Airvpn discontinued their hong kong server for those reasons.

  11. Kevin McMurtrie Silver badge

    We can't have good things

    True "no-log" VPN providers don't have routing for long. They're used for computer intrusion and, since there's no logging, the VPN provider can't determine which customers are doing it. BOFH doesn't want to hear excuses.

    1. gnasher729 Silver badge

      Re: We can't have good things

      I know a guy who went through logs to see which of his customers thought it was funny to make five hundred or so fake 999 calls with their software. I think the police didnt have a warrant yet, but T&Cs allowed them to identify the cretin, and they did.

      1. Sir Runcible Spoon

        Re: We can't have good things

        Personally I'm ok with a company being able to identify a VPN user after being served a lawful warrant to that effect. It's the casual 'spying on everyone because we can' that I object to, it changes the nature of the relationship between people and the state (i.e. nothing to do with that 'nothing to hide, nothing to fear' bollocks).

  12. Anonymous Coward
    Anonymous Coward

    Logs could be pretty predictable though.

    ..mainly bound for pornhub servers

  13. Anonymous Coward
    Anonymous Coward

    They are all liars........

    The toss pots in HK claim they shut up shop becasue of the CCP..., more like they were harvesting data for the CCP....

    1. Anonymous Coward
      Anonymous Coward

      Once "On-The-Net", there is NO such thing as "Privacy". Regardless of Who-You-Are or What-You-Do. Your details and GaZillion Others, are then, "Awaiting-for some 2-bit Crook to Target You". The Kicker is that you are paying for ALL this, aka Mesmerised to Imagine that "Perfection" is Ownable/Purchase-able. Like it and Believe It or NOT.

  14. Anonymous Coward
    Anonymous Coward



    Is this VPN piece actually news?

  15. Anonymous Coward
    Big Brother

    Building your own VPN

    I am possibly being stupid here, but my understanding is that the purpose of a VPN is to tunnel network traffic between two points, with the traffic usually being encrypted in the tunnel (I suppose that if it was not encrypted that would be a VN and I can imagine uses for those but they don't matter here). Let's call the end points A (you) and B (the far end). Now, surely, half the point of the thing is that if someone can snoop traffic from B, they can't easily know that it comes from A (and there are lots of caveats here because if they can see the connection from A to B then they can probably work out interesting things from traffic analysis even without being able to decrypt the traffic, so that all has to be hidden somehow, but I don't want to worry about that).

    So, if B is owned by some VPN provider, anyone who is watching its traffic knows only that it originates from one of the VPN providers many customers, not who they are. So that reveals a little information but not much. And if there are no logs then even a later attack on the VPN provider (a legal attack say) doesn't tell them any more.

    But if I want to roll my own VPN, then I'm going to need to pay for the end-point, B. And I'm the only person using this end-point. So anyone who can extract from whatever hosting provider is selling me B information about who is paying them for B knows who the traffic originating from B belongs to. Which kind of defeats at least some of the the point of a VPN.

    1. Graham Cobb Silver badge

      Re: Building your own VPN

      So anyone who can extract from whatever hosting provider is selling me B information about who is paying them for B knows who the traffic originating from B belongs to. Which kind of defeats at least some of the the point of a VPN.

      Some, but not all. If you don't need to protect against legal threats then that VPN is still useful. In particular, if you are just using the VPN to appear to be located in another country, and it is unlikely anyone will take legal action against you, then paying for your endpoint works fine. In that case, the biggest problem is that the easily available paid-for endpoints (like AWS) are often blocked by the sites most often targetted for this (for example, BBC). But it is often still possible to find a smaller provider that is not blocked, And any foreign provider will do if you aren't violating copyright and just don't like allowing GCHQ to collect all your browsing data with no probable cause.

      On the other hand, if you don't need to protect against legal threats, and you are just using it for something fairly innocuous, then you don't need a "nolog VPN provider" either - any VPN provider will do and they will probably handle getting around blocks better than you can because that is how they get you to pay.

      The situation changes, of course, if you are doing something illegal, or likely to end up in court, or something blackmailable (in which case the VPN or hosting provider themselves may be your most serious threat).

      1. Anonymous Coward
        Anonymous Coward

        Re: Building your own VPN


        Quote: ".....don't like allowing GCHQ to collect all your browsing data..."


        They can collect what they like......but can they read it?













        1. David 132 Silver badge
          Black Helicopters

          Re: Building your own VPN











          That is just depraved. You should be ashamed of yourself. That poor dwarf. How could you stoop so low?


          Your friends at GCHQ.

          PS: You need to change your mouse batteries, you left your car lights on, and for what it's worth, that shirt really doesn't suit you.

    2. spireite Silver badge

      Re: Building your own VPN

      I'm lucky enough to be able to work from home in my second country.

      Before I left my home country, I setup all the necessary stuff using Ubuntu, OpenVPN, DDNS and a few other things.

      So, I have my own VPN, so when it comes to streaming the Beeb/Sky all appears hunky dory.

      Downside, I have to leave my kit on back home, so thats 'paying' for it....

      I do realise that most peopel will need a third-party one for reasons of streaming from another region for the TV / Kodi rather my genuine 'WFH' reason.

      I do realise though that this is something of a minefield!

    3. bdg2

      Re: Building your own VPN

      I use a VPN when I'm away from home on unsecured Wi-Fi or on a network of unknown security.

      For my purposes my own VPN server back in my home is just as good as using any service would be. Plus I can get access to my NAS and other things that are on my network at home without having to forward ports in to them which would put them at risk of being hacked.

  16. NotTrustworthy

    Money Talks ...

    I'm surprised that people actually believe paid-for VPN services don't log anything.

    The first rule of business is that you protect your business, and by extension it's revenue stream.

    That statement is so true. It's been the one constant that I've found of every business I've worked for during my adult life.

    The notion that some subscription VPN business is going to use all its profits (and potentially go into debt) to hire a legal firm and fight off a single legal challenge (read: one VPN subscription) is just not a reality. Every business I've worked for has been more than happy to find the cheapest way to settle a legal problem (in general, not brought by me), if it means they can continue to operate and make money.

    If you're paying for a VPN service and the VPN business owner has any business sense, then they'll keep logs, if for no other reason than as an insurance policy to stop some costly legal challenge, or to keep themselves out of jail. I'm convinced that the only reason VPNs don't roll over on their customers more frequently, is because prosecutions are usually underfunded. That can change in a single moment though. As for reputational damage after a sell-out, I doubt they'd ever even acknowledge it was them.

    The only truly secure VPN is one you've set up yourself using payment methods and addresses that don't link back to you.

    1. Jimmy2Cows Silver badge

      Re: Money Talks ...

      The point is these VPN providers shouldn't bullshit their customers, usually the one's who aren't IT-literate, by saying they don't log anything when they blatantly do (and, depending on jurisdiction, legally must do).

      We know it's naive at best to think VPN providers won't log everything, even if only to cover their own arse. Many people looking for a VPN provider won't know that.

  17. BPontius


    Anyone who really believes that any online company does not log or store data about your activity is naive. All this no logging and don't sell my information is nothing more than marketing, as will they continue to collect and sell your data. Expect to be logged, tracked and your information sold.

    1. Anonymous Coward
      Anonymous Coward

      Re: naive


      Generally true. But suppose I'm in an internet cafe, reading El Reg, and posting an encrypted message (see below) using El Reg, directed to my secret buddy. I'm just wondering a few things:

      1. Does logging help anyone find out WHO I AM?

      2. Does logging help anyone identify my buddy?

      3. Can anyone read my book cipher message?

      4. And supposing I'm a VERY BAD PERSON...can any of the above be done in time to make any difference?












      1. Jimmy2Cows Silver badge

        Re: naive

        1. Combined with timestamped endpoint IP logging, up-to-date geographical data for IP assignments, and timestamped CCTV at said endpoint... perhaps.

        2. See 1 (caveat: endpoint may not have CCTV).

        3. Only if they've obtained that cipher alreadys.

        4. Probably not. Perhaps if 3 is true. But this assumes security services give a shit about doing anything in time to make a difference. They don't. The miniscule possibility of doing stopping "terror" is the carrot to gain ever-widening snoop powers. The stick is "look what happened because we didn't have blanket access to XYZ".

  18. sitta_europea Silver badge

    I want a VPN, where should I go for a provider?

    I know! Hong Kong!

    1. FatGerman Silver badge

      To be fair, 99.99999% of the people signing up for this crap don't know or check where the company is based, they just click 'give me the privacy for the warez'.

    2. Anonymous Coward
      Anonymous Coward

      re. where should I go for a provider? I know! Hong Kong!

      I would guess that most customers didn't even notice their "secure" vpn is HK based, and if they did, they thought "oh, how cool is that!" 1st case scenario is "normal, average behaviour", 2nd is "due diligence".

  19. Anonymous Coward
    Anonymous Coward

    Why, why, why

    Would anyone ever consider a VPN as a security measure?

    It's a tool- and a great one- to get around region-locking and censorship. But you're just connecting through someone elses' computer (where the definition also includes network equipment smart enough to be a VPN endpoint). There's a huge amount of trust required there.

    What do these companies do to convince their customers that they're trustworthy?

    1. Terry 6 Silver badge

      Re: Why, why, why

      Precisely. For the most part it comes down to "I don't trust <big name ISP> so I'll use <VPN provider whom I know nothing about> with my information instead.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why, why, why

      How about vpn'ing to another companies vpn, over a vpn to a different companies vpn etc.

      1. Terry 6 Silver badge

        Re: Why, why, why

        I must admit, sometimes, for the sheer hell of it, I use Opera's VPN on my phone passed through the free allowance of's vpn just to add a bit of obfuscation.

        I'm sure it doesn't achieve anything really, but I do like to muddy my tracks. ( I also make random Google searches on my phone when I have a spare moment while stuff is happening. Think of a word, type it in to Google search).

        1. Anonymous Coward
          Anonymous Coward

          Re: I also make random Google searches on my phone

          ... which is all the more ammunition for the six-shooter of our good friend, Cardinal Richelieu :-)

  20. Anonymous Coward
    Anonymous Coward


    Definition of fraud:

    1a : deceit, trickery specifically :

    intentional perversion of truth in order to induce another to part with something of value or to surrender a legal right

    How is this not fraud?

    Will the owner(s) of these Virtual(ly) Public Networks be brought up on criminal fraud charges?

    1. Richard Jones 1

      Re: Merriam-Webster

      You may have to get round their protector first and then outlive their thug masters' 'protectors'.

  21. randon8154

    Do you guys keep any logs ?

    The nordvpn provider look like a honest one if you compare with this one : they deliberately log everything from their customer, even data with no use for debug / technical monitoring.

    I can't see anything else than shady reason, if it is obvious that communication privacy, activity free of any log, anonymat... are purely commercial statement, the goal of this provider is far beyond making a juicy business. Another obvious red flag for this provider : VPN client closed source.

    A efficient way to prove that the no log / ultimate privacy is a lie : Mass TCP port scan over a large netrange. If they don't log, monitor or trace who is doing what, you shouldn't be banned.

    Torproject is one of the only service who can legitimately claim what all those brainwashing vpn provider said

    As using a vpn rely on a blind trust of a third party, I would go for Mullvad

  22. amanfromMars 1 Silver badge

    Just curious about the covert and clandestine nature of the intellectually challenged ..

    ..... and easily fully compromised

    Do you think El Reg is safe and secure and free from outside spooky interest and remote and ideally controlling interference?

    Or is the opposite much more likely, given the common subject matters revealed in opinion pieces and information and intelligence reports and further discussed and expanded upon by commenting fans, both unusually known and secretive alike ..... the identifyingly handled and Anonymously Cowardly.

    :-) Ever had a tap on the shoulder, El Reg, followed by an offer to not refuse.?

    1. Anonymous Coward
      Anonymous Coward

      Re: Just curious about the covert and clandestine nature of the intellectually challenged ..

      @amanfromMars 1

      Quote: "...Do you think El Reg is safe and secure ..."


      Do you think ANY internet service is safe and secure?

      * I don't. But that's not the right question. Surely it's a question of RELATIVE security.


      So......if you have a gmail (or FB, or WhatsApp, or LinkedIn or BT, or Vodaphone......) account in your ACTUAL NAME..........................then you've got a target right there on your back.


      Anyone with an account/street address/credit card for their internet consumption.... is wide open for bad guys and/or spooks,

      * an AC on El Reg.....if my anonymity is prejudiced, feel free to get in touch.

      1. amanfromMars 1 Silver badge

        Re: Just curious about the covert and clandestine nature of the intellectually challenged ..

        Do you think ANY internet service is safe and secure? ... Anonymous Coward

        Since you ask, AC, and it is surely good for all to know about such as may be an entirely common place thing today too, I have no delusions about the possible complete lack of safety afforded to anyone who or anything which would think they are secure, relative or otherwise, and using remote virtual communications for practically surreal direct contact.

        However, what is a constant source of wonder with ever greater wider and deepening divides providing private and pirate succour and customised safe harbour sanctuary in any number of visited ports, is the abject lack of super-talented intelligence use of the facility/utility/ability, and which one is well advised to constantly be on the look-out for vast and radical improvement in/on.

        And that exciting change can, at it simplest and most worthy of forms, be manifested in a cogent and direct response to earlier supplied observation for embracing comment or ignorant denial and revealing silence, with the one supplying further remarkably profitable aid whilst the other renders extraordinary deficits creating crippling debts and overwhelming hardships.

        And there's no point in being too anonymous and ridiculous to the point of a self-destructive personal corporate obsession about maintaining one's absolute safety and security, AC, if you have something exciting to tell which one can easily sell for an absolute fortune ........ although there will be those and that which will tell you that is a fundamental human weakness to be ruthlessly exploited and lavishly employed rather than an almighty complicate and empowering strength to be fielded and wielded

  23. gnasher729 Silver badge

    I was told there are two kinds of VPN providers: Those that logged and told you, and those that logged and lied about it.

    1. chivo243 Silver badge

      I guess it's all on how you word your response?

      Advertised VPNs?

      Are you serious? Naw, no, we don't share no data, no way, no how.

      Months later, Ah, well um, I guess our marketing department promised something, something... shared something, contractually bound... it is all quite legal, we have it on paper!

      7 thumbs down

  24. Anonymous Coward
    Anonymous Coward

    when is logging not logging

    in a world when politicians don't lie, but merely present alternative facts?

  25. Sparkus

    Cab you say "CCP Honeypot"? knew you could.........

    1. TechHeadToo

      You can say it.

      But now you are on a list... somewhere ...

    2. Jimmy2Cows Silver badge

      Re: Cab

      Well I cab* say it, but I'm not so sure you cab*.

      * For anyone hearing a "wooooosh" sound... "can"

  26. TeeCee Gold badge

    ...It appears seven Hong-Kong-based VPN providers,,,all share a common entity, which provides a white-labelled VPN service.

    Let me guess: The People's Liberation ArmyHappy Dragon VPN Services.

  27. JCitizen

    Want an almost sure method?

    Not sure if he uses VPN, because much of the lines of communication are cut up and rather random; but if you really want to communicate in a way that even the heavy deep state hitters find it hard to intercept you; do it the way the Dalai Lama does it. I'll just leave it at that - just think about it and you will figure it out. The PRC doesn't need to know. He is always two steps ahead of them, all the way!

  28. sarahgill

    I would say all free VPNs keep logs there is not doubt about that. I have used tons of free and paid VPNs and trust me when I say this. ExpressVPN, PIA, Ivacy VPN, Surfshark all of these are truly no log VPNs and are members of the VPN trust innitiative.

  29. Anonymous Coward
    Anonymous Coward

    The real list of No Log VPNs

    Been using Ivacy VPN for 3 years now and was using Express and Pure before that. All of these are safe to say No Log VPNs

  30. darekgough

    PureVPN has passed the KPMG Always-on audit which is the bold step towards the user-centricity, transparency the VPN operations and more. KPMG is one the top leading audit firm of US.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like