"We do not maintain databases"
Hello. I am writing about ActMobile, a shady VPN Company with beyond horrible security practices. Although I'm not Bob, I think that the people @ ActMobile will equally appreciate my reporting on this. Lets prove that Actmobile was indeed breached really quick, to clear any doubt some people might have. I will also link to Bob's article on here once he reports on it, as I'm sure he will do a more in-depth look at it. While being rude to a Whitehat security researcher after they disclose a critical flaw might not get your data leaked, he's not the only one who found the server :)
The first few users in the breach (portal_api_user table) all reference a relation to ActMobile:
{"_id":{"$oid":"504e5fe7313ea25b9b000045"},"date_joined":{"$date":"2011-12-22T18:50:32.000Z"},"email":"Philip.alpha2@actmobile.com","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2011-12-22T18:50:32.000Z"},"last_name":"","password":"sha1$4500b$e3986e8504b5433a15936e25b9441a1f47337eaf","url_logging_enabled":false,"username":"philip.alpha2@actmobile.com"}
{"_id":{"$oid":"504e5fe7313ea25b9b000047"},"date_joined":{"$date":"2011-12-23T23:41:09.000Z"},"email":"jonny@actmobile.com","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2011-12-23T23:41:09.000Z"},"last_name":"","password":"sha1$81934$00312071a13938255e2347004ed79a4c335bdf9a","url_logging_enabled":false,"username":"jonny@actmobile.com"}
{"_id":{"$oid":"504e5fe7313ea25b9b00004b"},"last_name":"","url_logging_enabled":false,"is_mobileuser":true,"is_staff":false,"config_profile_id":null,"dp_cycle_start_date":{"$date":"2015-07-08T06:00:53.804Z"},"date_joined":{"$date":"2012-01-09T20:00:10.000Z"},"first_name":"","group":"default","created_by":null,"role_id":{"$oid":"53f35ee80f303b3fe92dc722"},"is_superuser":false,"last_login":{"$date":"2012-01-09T20:00:10.000Z"},"stripe_id":"","email":"chip@actmobile.com","username":"chip@actmobile.com","is_active":true,"organization":"default","password":"sha1$1fdd4$0a2b81071e11b0a2e04ab1defad0bbdde51ebc80","is_portaluser":false,"user_data_plan_id":null,"dp_cycle_end_date":{"$date":"2015-07-08T06:00:53.804Z"},"last_seen":null}
{"_id":{"$oid":"504e5fe7313ea25b9b00004f"},"date_joined":{"$date":"2012-02-08T20:45:56.000Z"},"email":"John.williams@actmobile.com","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2013-01-05T10:17:34.498Z"},"last_name":"","password":"sha1$eab11$f8a5cdc5557ce8fffb095fd92fc960925b293a50","url_logging_enabled":false,"username":"John.williams@actmobile.com"}
{"_id":{"$oid":"504e5fe7313ea25b9b000051"},"date_joined":{"$date":"2012-02-10T23:05:23.000Z"},"email":"bconner@virtela.net","first_name":"","group":"virtela","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2012-10-02T23:59:04.069Z"},"last_name":"","password":"sha1$67a8a$f327340ca5a308661c0b103dcf296196c7103865","url_logging_enabled":false,"username":"bconner@virtela.net"}
{"_id":{"$oid":"504e5fe7313ea25b9b000053"},"date_joined":{"$date":"2012-02-20T04:11:21.000Z"},"email":"ciaran.regan@actmobile.com","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2012-02-20T04:11:21.000Z"},"last_name":"","password":"sha1$5a6c1$17b332f2d99e10b311e5b279e40cf4ef57c37f9f","url_logging_enabled":false,"username":"ciaran.regan@actmobile.com"}
{"_id":{"$oid":"504e5fe7313ea25b9b000055"},"date_joined":{"$date":"2012-02-21T22:53:26.000Z"},"email":"bjmcmahon@gmail.com","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2012-02-21T22:53:26.000Z"},"last_name":"","password":"sha1$f0963$de452e915105042bb53c48ceca14edfe2eee3d22","url_logging_enabled":false,"username":"bjmcmahon@gmail.com"}
{"_id":{"$oid":"504e5fe7313ea25b9b000057"},"date_joined":{"$date":"2012-02-22T01:06:36.000Z"},"email":"afoss@employees.org","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2013-02-11T17:40:51.150Z"},"last_name":"","password":"sha1$a47d5$58b1d9c9330ecce92e6cb761a45c442ac6f7266d","url_logging_enabled":false,"username":"afoss@employees.org"}
The last user listed about is who you should focus on the most. "afoss@employees.org". This is who actually owns ActMobile. His name is Andrew Foss. You can see on their "Team" page that they list him as the CEO. https://actmobile.com/team (Archive: https://archive.md/TB246 ).
This email was at one point listed in WHOIS Records of all of the domains relating to FreeVPN // Dashnet // Actmobile at one point in time.
Want more proof?
Sure. Here's the configuration from their MongoDB Server.
{
hosts:[
"209.126.103.91:30001",
"209.126.103.89:30001",
"209.126.103.203:30001",
"163.172.30.114:30001",
"107.182.226.86:30001"
],
passives:[
"92.204.255.249:30001",
"89.163.138.67:30001"
],
setName:"rs1",
setVersion:404853,
ismaster:false,
secondary:true,
primary:"209.126.103.203:30001",
me:"209.126.103.89:30001",
maxBsonObjectSize:16777216,
maxMessageSizeBytes:48000000,
maxWriteBatchSize:1000,
localTime:ISODate('2021-10-21T21:17:17.154Z'),
maxWireVersion:4,
minWireVersion:0,
ok:1
}
Hmm. Lets look at the WHOIS Record for the IP 92.204.255.249, one of the Servers that said database was being hosted on.
$ whois 92.204.255.249 -B % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Information related to '92.204.255.248 - 92.204.255.249' % Abuse contact for '92.204.255.248 - 92.204.255.249' is 'actmobile@actmobile.com' inetnum: 92.204.255.248 - 92.204.255.249 netname: VELIANET-FR-ACTMOBILE-NETWORKS-INC descr: Actmobile Networks Inc. country: FR org: ORG-ANI11-RIPE admin-c: ANI41-RIPE tech-c: ANI41-RIPE status: ASSIGNED PA remarks: ticket.velia.net 222745 notify: vnid-hostmaster@godaddy.com mnt-by: FGK-MNT created: 2021-05-27T12:15:29Z last-modified: 2021-05-27T12:15:29Z source: RIPE organisation: ORG-ANI11-RIPE org-name: Actmobile Networks Inc. org-type: OTHER address: 1070 address: 94566 Pleasonton address: United States, CA phone: +18007101377 e-mail: actmobile@actmobile.com admin-c: ANI41-RIPE tech-c: ANI41-RIPE abuse-c: ANI41-RIPE mnt-ref: FGK-MNT mnt-by: FGK-MNT created: 2021-03-05T08:33:01Z last-modified: 2021-03-05T08:33:01Z source: RIPE role: Actmobile Networks Inc. address: 1070 address: 94566 Pleasonton address: United States, CA phone: +18007101377 e-mail: actmobile@actmobile.com nic-hdl: ANI41-RIPE mnt-by: FGK-MNT created: 2021-03-05T08:33:01Z last-modified: 2021-03-05T08:33:01Z source: RIPE abuse-mailbox: actmobile@actmobile.com % Information related to '92.204.240.0/20AS29066' route: 92.204.240.0/20 descr: via velia.net origin: AS29066 mnt-by: FGK-MNT created: 2020-12-17T10:47:44Z last-modified: 2020-12-17T10:47:44Z source: RIPE % This query was served by the RIPE Database Query Service version 1.101 (BLAARKOP)
Oh.... but I thought you didn't manage any databases? Your words not mine.
"None, We do not collect any information of our users before, during, or even after using our app or service. We believe in 100% privacy for all our users."
>Table "portal_api_device" has entered the chat.
{"_id":"ADV-9215fa99-2797-c071-1111-11111111","last_updated":{"$date":"2021-05-15T23:59:35.932Z"},"balance_bytes":-1,"ip":"85.109.223.89","app_id":"","fastest_region":"EU","user_id":{"$oid":"57397471d3c41405b2c7bbde"},"recent_country_code":"TR","os_version":"1.0","latitude":"00040.0000000000","app_version":"3.032","license_state":"spon","added":{"$date":"2016-02-25T12:02:01.260Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00036.0000000000","device_name":"etab5","vpn_ip":"10.2.80.203","license_expiry_ts":{"$numberLong":"2528020353"},"model":"Android Phone","os":"android"}
{"_id":"AFV-16303CA3-12ED-9621-1111-11111111","last_updated":{"$date":"2021-03-02T04:32:31.591Z"},"balance_bytes":-1,"ip":"84.255.156.85","app_id":"com.actmobile.freevpn","fastest_region":"EU","user_id":{"$oid":"56c74da1d3c4146827abad02"},"recent_country_code":"BH","os_version":"6.0.1","latitude":"00026.0000000000","app_version":"3.818","license_state":"spon","added":{"$date":"2016-02-19T17:15:13.702Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00050.0000000000","device_name":"","vpn_ip":"10.1.249.85","license_expiry_ts":{"$numberLong":"2528020353"},"model":"","os":""}
{"_id":"AFV-E78FFE4C-0967-B891-1111-11111111","last_updated":{"$date":"2021-03-22T09:33:42.015Z"},"balance_bytes":-1,"ip":"5.120.72.28","app_id":"com.actmobile.freevpn","fastest_region":"Europe","user_id":{"$oid":"5ee24c5a1b57eb53c72b2a8b"},"recent_country_code":"IR","os_version":"6.0","latitude":"00035.0000000000","app_version":"3.818","license_state":"spon","added":{"$date":"2016-01-24T02:36:45.348Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00051.0000000000","device_name":"unknown","vpn_ip":"10.1.158.161","license_expiry_ts":{"$numberLong":"2528020353"},"model":"","os":"android"}
{"_id":"AFV-EB598A9E-06A5-4931-1111-11111111","last_updated":{"$date":"2021-06-30T15:34:56.836Z"},"balance_bytes":-1,"ip":"91.93.33.132","app_id":"com.actmobile.freevpn","fastest_region":null,"user_id":{"$oid":"56cc58aed3c41401c699a2c3"},"recent_country_code":"TR","os_version":"1.0","latitude":"0E-10","app_version":"2.843","license_state":"spon","added":{"$date":"2016-02-23T13:03:42.236Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"0E-10","device_name":"","vpn_ip":"10.2.26.123","license_expiry_ts":{"$numberLong":"2528020353"},"model":"","os":""}
{"_id":"IDO-0E18-D810-4DA3-A71C-255FE30AD0B7","last_updated":{"$date":"2021-09-04T20:37:43.628Z"},"balance_bytes":-1,"ip":"154.160.21.243","app_id":"com.actmobile.dash","fastest_region":"EU","user_id":{"$oid":"525fe2592f1e5230280009dc"},"recent_country_code":"GH","os_version":"7.1.2","latitude":"00006.0000000000","app_version":"2.722","license_state":"spon","added":{"$date":"2015-08-25T23:10:25.784Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"-00001.0000000000","device_name":"unknown","vpn_ip":null,"license_expiry_ts":{"$numberLong":"2528020353"},"model":"ios","os":"ios"}
{"_id":"IDO-22A6-0022-4CAF-9EA5-FEC923BE2260","last_updated":{"$date":"2021-05-10T22:11:30.276Z"},"balance_bytes":-1,"ip":"120.29.76.140","app_id":"","fastest_region":"US West","user_id":{"$oid":"55d426d6d3c4147dc6c59c6e"},"recent_country_code":"PH","os_version":"8.4","latitude":"00014.0000000000","app_version":"2.722","license_state":"spon","added":{"$date":"2015-08-19T06:48:54.466Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00121.0000000000","device_name":"LinoOcampo’s iPad","vpn_ip":null,"license_expiry_ts":{"$numberLong":"2528020353"},"model":"iPad","os":"ios"}
{"_id":"IDV-21A4-C005-4AAF-A41F-68EE2CF95A77","last_updated":{"$date":"2021-07-21T02:17:03.125Z"},"balance_bytes":-1,"ip":"168.149.50.67","app_id":"","fastest_region":"EU","user_id":{"$oid":"59507393a1020e0fe9cc9099"},"recent_country_code":"SA","os_version":"9.3.5","latitude":"00021.0000000000","app_version":"3.083","license_state":"spon","added":{"$date":"2015-10-28T23:09:28.636Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":1588199859,"_Device__dashboard_instructions":"{}","longitude":"00039.0000000000","device_name":"Ganars","vpn_ip":"10.93.192.237","license_expiry_ts":{"$numberLong":"2528020353"},"model":"iPad","os":"ios"}
{"_id":"IDV-4C6B-13C7-43A1-9A1B-D01A063C7DC5","last_updated":{"$date":"2021-04-12T14:40:44.028Z"},"balance_bytes":-1,"ip":"109.152.129.5","app_id":"com.actmobile.dashvpn","fastest_region":"Europe","user_id":{"$oid":"5910bf2a892d515ec35b36a7"},"recent_country_code":"GB","os_version":"9.3.5","latitude":"00053.0000000000","app_version":"3.826","license_state":"spon","added":{"$date":"2018-05-29T05:14:29.422Z"},"ad_id":"9E9E1CC4-9B50-4C9D-A13A-EEFACD2E45E8","has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"-00001.0000000000","device_name":"Simon’s iPad","vpn_ip":"10.85.11.67","license_expiry_ts":{"$numberLong":"2528020353"},"model":"ipad","os":"ios"}
{"_id":"IDV-4F33-11E4-4950-9A57-41EA249A4360","last_updated":{"$date":"2021-01-22T15:50:01.810Z"},"balance_bytes":-1,"ip":"89.199.173.14","app_id":"","fastest_region":"EU","user_id":{"$oid":"55904e9cd3c4145663dfc56c"},"recent_country_code":"IR","os_version":"11.2.1","latitude":"00035.0000000000","app_version":"3.046","license_state":"spon","added":{"$date":"2015-06-28T19:44:28.640Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00051.0000000000","device_name":"Asus-Deltous’s iPhone","vpn_ip":null,"license_expiry_ts":{"$numberLong":"2528020353"},"model":"iPhone","os":"ios"}
Moral of story: Lying is bad, don't leave your database open to public. I may or may not leak the database soon, if I do I'll link to it here.
Update: Leaked (You just need to be logged into a BreachForums account to download, it's 100% free); https://breached.to/Thread-ActMobile-Database-Leaked-Download