"We do not maintain databases"

Breach Oct 31, 2021

Image source: https://twitter.com/MayhemDayOne/status/1454545841579073537

Hello. I am writing about ActMobile, a shady VPN Company with beyond horrible security practices. Although I'm not Bob, I think that the people @ ActMobile will equally appreciate my reporting on this. Lets prove that Actmobile was indeed breached really quick, to clear any doubt some people might have. I will also link to Bob's article on here once he reports on it, as I'm sure he will do a more in-depth look at it. While being rude to a Whitehat security researcher after they disclose a critical flaw might not get your data leaked, he's not the only one who found the server :)

The first few users in the breach (portal_api_user table) all reference a relation to ActMobile:

{"_id":{"$oid":"504e5fe7313ea25b9b000045"},"date_joined":{"$date":"2011-12-22T18:50:32.000Z"},"email":"[email protected]","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2011-12-22T18:50:32.000Z"},"last_name":"","password":"sha1$4500b$e3986e8504b5433a15936e25b9441a1f47337eaf","url_logging_enabled":false,"username":"[email protected]"}
{"_id":{"$oid":"504e5fe7313ea25b9b000047"},"date_joined":{"$date":"2011-12-23T23:41:09.000Z"},"email":"[email protected]","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2011-12-23T23:41:09.000Z"},"last_name":"","password":"sha1$81934$00312071a13938255e2347004ed79a4c335bdf9a","url_logging_enabled":false,"username":"[email protected]"}
{"_id":{"$oid":"504e5fe7313ea25b9b00004b"},"last_name":"","url_logging_enabled":false,"is_mobileuser":true,"is_staff":false,"config_profile_id":null,"dp_cycle_start_date":{"$date":"2015-07-08T06:00:53.804Z"},"date_joined":{"$date":"2012-01-09T20:00:10.000Z"},"first_name":"","group":"default","created_by":null,"role_id":{"$oid":"53f35ee80f303b3fe92dc722"},"is_superuser":false,"last_login":{"$date":"2012-01-09T20:00:10.000Z"},"stripe_id":"","email":"[email protected]","username":"[email protected]","is_active":true,"organization":"default","password":"sha1$1fdd4$0a2b81071e11b0a2e04ab1defad0bbdde51ebc80","is_portaluser":false,"user_data_plan_id":null,"dp_cycle_end_date":{"$date":"2015-07-08T06:00:53.804Z"},"last_seen":null}
{"_id":{"$oid":"504e5fe7313ea25b9b00004f"},"date_joined":{"$date":"2012-02-08T20:45:56.000Z"},"email":"[email protected]","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2013-01-05T10:17:34.498Z"},"last_name":"","password":"sha1$eab11$f8a5cdc5557ce8fffb095fd92fc960925b293a50","url_logging_enabled":false,"username":"[email protected]"}
{"_id":{"$oid":"504e5fe7313ea25b9b000051"},"date_joined":{"$date":"2012-02-10T23:05:23.000Z"},"email":"[email protected]","first_name":"","group":"virtela","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2012-10-02T23:59:04.069Z"},"last_name":"","password":"sha1$67a8a$f327340ca5a308661c0b103dcf296196c7103865","url_logging_enabled":false,"username":"[email protected]"}
{"_id":{"$oid":"504e5fe7313ea25b9b000053"},"date_joined":{"$date":"2012-02-20T04:11:21.000Z"},"email":"[email protected]","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2012-02-20T04:11:21.000Z"},"last_name":"","password":"sha1$5a6c1$17b332f2d99e10b311e5b279e40cf4ef57c37f9f","url_logging_enabled":false,"username":"[email protected]"}
{"_id":{"$oid":"504e5fe7313ea25b9b000055"},"date_joined":{"$date":"2012-02-21T22:53:26.000Z"},"email":"[email protected]","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2012-02-21T22:53:26.000Z"},"last_name":"","password":"sha1$f0963$de452e915105042bb53c48ceca14edfe2eee3d22","url_logging_enabled":false,"username":"[email protected]"}
{"_id":{"$oid":"504e5fe7313ea25b9b000057"},"date_joined":{"$date":"2012-02-22T01:06:36.000Z"},"email":"[email protected]","first_name":"","group":"default","is_active":true,"is_staff":false,"is_superuser":false,"last_login":{"$date":"2013-02-11T17:40:51.150Z"},"last_name":"","password":"sha1$a47d5$58b1d9c9330ecce92e6cb761a45c442ac6f7266d","url_logging_enabled":false,"username":"[email protected]"}

The last user listed about is who you should focus on the most. "[email protected]". This is who actually owns ActMobile. His name is Andrew Foss. You can see on their "Team" page that they list him as the CEO. https://actmobile.com/team (Archive: https://archive.md/TB246 ).

This email was at one point listed in WHOIS Records of all of the domains relating to FreeVPN // Dashnet // Actmobile at one point in time.

Want more proof?

Sure. Here's the configuration from their MongoDB Server.

{
    hosts:[
        "209.126.103.91:30001",
        "209.126.103.89:30001",
        "209.126.103.203:30001",
        "163.172.30.114:30001",
        "107.182.226.86:30001"
    ],
    passives:[
        "92.204.255.249:30001",
        "89.163.138.67:30001"
    ],
    setName:"rs1",
    setVersion:404853,
    ismaster:false,
    secondary:true,
    primary:"209.126.103.203:30001",
    me:"209.126.103.89:30001",
    maxBsonObjectSize:16777216,
    maxMessageSizeBytes:48000000,
    maxWriteBatchSize:1000,
    localTime:ISODate('2021-10-21T21:17:17.154Z'),
    maxWireVersion:4,
    minWireVersion:0,
    ok:1
}

Hmm. Lets look at the WHOIS Record for the IP 92.204.255.249, one of the Servers that said database was being hosted on.

$ whois 92.204.255.249 -B
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

% Information related to '92.204.255.248 - 92.204.255.249'

% Abuse contact for '92.204.255.248 - 92.204.255.249' is '[email protected]'

inetnum:        92.204.255.248 - 92.204.255.249
netname:        VELIANET-FR-ACTMOBILE-NETWORKS-INC
descr:          Actmobile Networks Inc.
country:        FR
org:            ORG-ANI11-RIPE
admin-c:        ANI41-RIPE
tech-c:         ANI41-RIPE
status:         ASSIGNED PA
remarks:        ticket.velia.net 222745
notify:         [email protected]
mnt-by:         FGK-MNT
created:        2021-05-27T12:15:29Z
last-modified:  2021-05-27T12:15:29Z
source:         RIPE

organisation:   ORG-ANI11-RIPE
org-name:       Actmobile Networks Inc.
org-type:       OTHER
address:        1070
address:        94566 Pleasonton
address:        United States, CA
phone:          +18007101377
e-mail:         [email protected]
admin-c:        ANI41-RIPE
tech-c:         ANI41-RIPE
abuse-c:        ANI41-RIPE
mnt-ref:        FGK-MNT
mnt-by:         FGK-MNT
created:        2021-03-05T08:33:01Z
last-modified:  2021-03-05T08:33:01Z
source:         RIPE

role:           Actmobile Networks Inc.
address:        1070
address:        94566 Pleasonton
address:        United States, CA
phone:          +18007101377
e-mail:         [email protected]
nic-hdl:        ANI41-RIPE
mnt-by:         FGK-MNT
created:        2021-03-05T08:33:01Z
last-modified:  2021-03-05T08:33:01Z
source:         RIPE
abuse-mailbox:  [email protected]

% Information related to '92.204.240.0/20AS29066'

route:          92.204.240.0/20
descr:          via velia.net
origin:         AS29066
mnt-by:         FGK-MNT
created:        2020-12-17T10:47:44Z
last-modified:  2020-12-17T10:47:44Z
source:         RIPE

% This query was served by the RIPE Database Query Service version 1.101 (BLAARKOP)

Oh.... but I thought you didn't manage any databases? Your words not mine.

"None, We do not collect any information of our users before, during, or even after using our app or service. We believe in 100% privacy for all our users."

>Table "portal_api_device" has entered the chat.

{"_id":"ADV-9215fa99-2797-c071-1111-11111111","last_updated":{"$date":"2021-05-15T23:59:35.932Z"},"balance_bytes":-1,"ip":"85.109.223.89","app_id":"","fastest_region":"EU","user_id":{"$oid":"57397471d3c41405b2c7bbde"},"recent_country_code":"TR","os_version":"1.0","latitude":"00040.0000000000","app_version":"3.032","license_state":"spon","added":{"$date":"2016-02-25T12:02:01.260Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00036.0000000000","device_name":"etab5","vpn_ip":"10.2.80.203","license_expiry_ts":{"$numberLong":"2528020353"},"model":"Android Phone","os":"android"}
{"_id":"AFV-16303CA3-12ED-9621-1111-11111111","last_updated":{"$date":"2021-03-02T04:32:31.591Z"},"balance_bytes":-1,"ip":"84.255.156.85","app_id":"com.actmobile.freevpn","fastest_region":"EU","user_id":{"$oid":"56c74da1d3c4146827abad02"},"recent_country_code":"BH","os_version":"6.0.1","latitude":"00026.0000000000","app_version":"3.818","license_state":"spon","added":{"$date":"2016-02-19T17:15:13.702Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00050.0000000000","device_name":"","vpn_ip":"10.1.249.85","license_expiry_ts":{"$numberLong":"2528020353"},"model":"","os":""}
{"_id":"AFV-E78FFE4C-0967-B891-1111-11111111","last_updated":{"$date":"2021-03-22T09:33:42.015Z"},"balance_bytes":-1,"ip":"5.120.72.28","app_id":"com.actmobile.freevpn","fastest_region":"Europe","user_id":{"$oid":"5ee24c5a1b57eb53c72b2a8b"},"recent_country_code":"IR","os_version":"6.0","latitude":"00035.0000000000","app_version":"3.818","license_state":"spon","added":{"$date":"2016-01-24T02:36:45.348Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00051.0000000000","device_name":"unknown","vpn_ip":"10.1.158.161","license_expiry_ts":{"$numberLong":"2528020353"},"model":"","os":"android"}
{"_id":"AFV-EB598A9E-06A5-4931-1111-11111111","last_updated":{"$date":"2021-06-30T15:34:56.836Z"},"balance_bytes":-1,"ip":"91.93.33.132","app_id":"com.actmobile.freevpn","fastest_region":null,"user_id":{"$oid":"56cc58aed3c41401c699a2c3"},"recent_country_code":"TR","os_version":"1.0","latitude":"0E-10","app_version":"2.843","license_state":"spon","added":{"$date":"2016-02-23T13:03:42.236Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"0E-10","device_name":"","vpn_ip":"10.2.26.123","license_expiry_ts":{"$numberLong":"2528020353"},"model":"","os":""}
{"_id":"IDO-0E18-D810-4DA3-A71C-255FE30AD0B7","last_updated":{"$date":"2021-09-04T20:37:43.628Z"},"balance_bytes":-1,"ip":"154.160.21.243","app_id":"com.actmobile.dash","fastest_region":"EU","user_id":{"$oid":"525fe2592f1e5230280009dc"},"recent_country_code":"GH","os_version":"7.1.2","latitude":"00006.0000000000","app_version":"2.722","license_state":"spon","added":{"$date":"2015-08-25T23:10:25.784Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"-00001.0000000000","device_name":"unknown","vpn_ip":null,"license_expiry_ts":{"$numberLong":"2528020353"},"model":"ios","os":"ios"}
{"_id":"IDO-22A6-0022-4CAF-9EA5-FEC923BE2260","last_updated":{"$date":"2021-05-10T22:11:30.276Z"},"balance_bytes":-1,"ip":"120.29.76.140","app_id":"","fastest_region":"US West","user_id":{"$oid":"55d426d6d3c4147dc6c59c6e"},"recent_country_code":"PH","os_version":"8.4","latitude":"00014.0000000000","app_version":"2.722","license_state":"spon","added":{"$date":"2015-08-19T06:48:54.466Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00121.0000000000","device_name":"LinoOcampo’s iPad","vpn_ip":null,"license_expiry_ts":{"$numberLong":"2528020353"},"model":"iPad","os":"ios"}
{"_id":"IDV-21A4-C005-4AAF-A41F-68EE2CF95A77","last_updated":{"$date":"2021-07-21T02:17:03.125Z"},"balance_bytes":-1,"ip":"168.149.50.67","app_id":"","fastest_region":"EU","user_id":{"$oid":"59507393a1020e0fe9cc9099"},"recent_country_code":"SA","os_version":"9.3.5","latitude":"00021.0000000000","app_version":"3.083","license_state":"spon","added":{"$date":"2015-10-28T23:09:28.636Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":1588199859,"_Device__dashboard_instructions":"{}","longitude":"00039.0000000000","device_name":"Ganars","vpn_ip":"10.93.192.237","license_expiry_ts":{"$numberLong":"2528020353"},"model":"iPad","os":"ios"}
{"_id":"IDV-4C6B-13C7-43A1-9A1B-D01A063C7DC5","last_updated":{"$date":"2021-04-12T14:40:44.028Z"},"balance_bytes":-1,"ip":"109.152.129.5","app_id":"com.actmobile.dashvpn","fastest_region":"Europe","user_id":{"$oid":"5910bf2a892d515ec35b36a7"},"recent_country_code":"GB","os_version":"9.3.5","latitude":"00053.0000000000","app_version":"3.826","license_state":"spon","added":{"$date":"2018-05-29T05:14:29.422Z"},"ad_id":"9E9E1CC4-9B50-4C9D-A13A-EEFACD2E45E8","has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"-00001.0000000000","device_name":"Simon’s iPad","vpn_ip":"10.85.11.67","license_expiry_ts":{"$numberLong":"2528020353"},"model":"ipad","os":"ios"}
{"_id":"IDV-4F33-11E4-4950-9A57-41EA249A4360","last_updated":{"$date":"2021-01-22T15:50:01.810Z"},"balance_bytes":-1,"ip":"89.199.173.14","app_id":"","fastest_region":"EU","user_id":{"$oid":"55904e9cd3c4145663dfc56c"},"recent_country_code":"IR","os_version":"11.2.1","latitude":"00035.0000000000","app_version":"3.046","license_state":"spon","added":{"$date":"2015-06-28T19:44:28.640Z"},"ad_id":null,"has_rolling_trial":false,"is_active":true,"last_notif_sent_ts":-1,"_Device__dashboard_instructions":"{}","longitude":"00051.0000000000","device_name":"Asus-Deltous’s iPhone","vpn_ip":null,"license_expiry_ts":{"$numberLong":"2528020353"},"model":"iPhone","os":"ios"}

Moral of story: Lying is bad, don't leave your database open to public. I may or may not leak the database soon, if I do I'll link to it here.

Update: Leaked; https://raidforums.com/Thread-Actmobile-com-45M

Recommended for you

cybercrime

When Cybercrooks Pose as Security Researchers, Who Can Tell the Difference?

6 months ago • 7 min read

I'm not whitepacket you idiot

When Cybercrooks Pose as Security Researchers, Who Can Tell the Difference?