Hola, one of the most popular online services for viewing blocked videos and TV shows from other countries, has turned its users into a botnet without their knowledge. The software, which is available as plugin for the Chrome browser on desktop and mobile devices, had previously been praised for offering an easy-to-use and free service. However, it seems the company has been discreetly selling users' "idle resources" (i.e. their bandwidth) via a separate Luminati brand, allowing anyone to buy traffic in bulk and redirect it to a target site as a denial-of-service attack. Essentially, Hola's users have been unwitting mercenaries in a botnet-for-hire.
The issue came to light after the moderator of the controversial 8chan forum — an off-shoot of 4chan that has been criticized for acting as an "active pedophile network" — reported that the site had been the target of multiple DoS attacks from Hola's network. "[Hola] recently ... realized that they basically have a 9 million IP strong botnet on their hands, and they began selling access to this botnet," says a note on the site. "An attacker used the Luminati network to send thousands of legitimate-looking [requests to 8chan] in 30 seconds, representing a 100x spike over peak traffic."
Hola is able to act as a botnet for the same reason that its service is free: it doesn't provide its own bandwidth or servers, but simply redirects that of its users'. Most virtual private networks (VPNs) have their own servers spread around the world, channeling a users' internet connection through these so that it appears to be coming from a different country. This allows a user in France, for example, to watch geoblocked TV shows from the US. Hola, however, operates as a peer-to-peer VPN, routing users' connections through each other's devices like a giant telephone exchange. Hola makes money by selling idle bandwidth from its free users under the Luminati brand. Users who don't want to contribute their bandwidth have to pay $5 a month explains the site's FAQ.
Hola's founder Ofer Vilenski has said that the site has "always made it clear" how this business model works, but Hola's users seem to have been almost universally unaware that their bandwidth was being sold off. A thread on Reddit discussing the news is full of commenters expressing their outrage and surprise. "I've had it for years," writes one commenter, "fuck knows who has been using my internet connection!! And for what?!" Even users who might have taken the time to read Hola's FAQ could have been misled — TorrentFreak alleges that the site "only recently" added details explaining the role of the Luminati service to its site.
The worry for some users is not only that Hola has been leeching their bandwidth, but that their connection might have been used for illegal purposes — accessing anything from copyrighted content to images of child abuse. In the case of the DoS against 8chan, Hola's Vilenski has said that the attacker "could have used any commercial VPN network, but chose to do so with ours" and has now had their account "terminated." Hola's millions of users, though, might not be comforted by this news. At the time of writing, the company has not responded to The Verge's request for comment.
Comments
:’(
By JaouhariM on 05.29.15 7:11am
Yay! Nothing is truly free!
(Except ’murica, of course)
By adrianhaus on 05.29.15 7:11am
Ever heard of the phrase "If you’re not paying for it you’re the product"
By willparkinson on 05.29.15 7:23am
You’re not paying for reading this article…
By donald.trump on 05.29.15 7:40am
True, but I am staring at a large GMC and Goldman Sachs ad so I’m sure that’s helping
By VoxMediaUser1831837 on 05.29.15 7:44am
Thanks, man, for helping those of us with adblockers keep the web free!
By BleachedSleet on 05.30.15 12:46am
How much did you pay for the adblocker? You’re sure you’re not the product?
By nkrisc on 06.09.15 9:50am
And indeed you are the product. Those ads won’t look at themselves.
By DenisV on 05.29.15 8:22am
Is there anything wrong with that?
By donald.trump on 05.30.15 6:53pm
Nope, but it sure does seem like the ads on the Verge are bigger than they’ve ever been.
By CPD_1 on 05.29.15 11:23am
True, but in the world of monetization, even if you are paying for it, you can still be a product.
By Weapon on 05.29.15 4:46pm
If you didn’t see this coming then you’re a fool… Use a proper VPN
By gregorsmith on 05.29.15 7:44am
So… Anybody know a good alternative?
By diotallevisheir on 05.29.15 7:51am
Yeah a VPN you actually pay for.
By Demios on 05.29.15 7:56am
Seriously. They’re not even expensive.
I use NetShade, which is iOS/OSX exclusive, but is only $59/year. I’m sure there are plenty of similar, cross-platform, perhaps even cheaper services around. I get good performance from NetShade for UK television, which is what I use it for.
By kawa on 05.29.15 1:26pm
I can recommend ZenMate: https://zenmate.com/
By westagemusic on 05.29.15 8:07am
keep in mind its in a "beta" stage and they may charge soon enough.
By djvita on 05.29.15 9:32am
Also keep in mind that ZenMate is free.
And it’s not a true VPN…
It’s basically an automated proxy…I’d stick to something else to hide my kiddy porn habit.
By BleachedSleet on 05.30.15 12:48am
If it’s for having access to geolocked services: I’ve been using unblock-us for few years now, nothing but good things to say about it.
By DenisV on 05.29.15 8:23am
Tunnelbear maybe. But you never know. I guess a paid VPN is probably the safest bet.
By hamsah on 05.29.15 8:53am
https://ra4wvpn.com/
Cheap, no logs, Open VPN protocol, lots of server choices, port forwarding (if that matters, you rascal you). It’s literally just $15 for a lifetime subscription.
I’m not affiliated, btw. I just use it myself off and on.
By BleachedSleet on 05.30.15 12:50am
Well, that was to be expected. By using hola, you effectively give your own internet connection to a complete stranger in return for a stranger’s internet connection.
I won’t be surprised if some people will be accused of sharing child pornography soon, when all they did was use Hola. Strangers can do nasty things with your IP
By tubbylugner on 05.29.15 7:59am
The verge discovered fire…
By klaudyuxxx on 05.29.15 8:24am
People have been thinking that the Chrome extension store was this holy grail of safe extensions for years and that Chrome was safe from adware like extensions.
By sonus on 05.29.15 8:30am
How safe is an app? Since the inception of applications some have abused the users trust. This is a VPN, what has Chrome to do with Hola channeling stuff through it? Like the only other alternative would be either no apps, like on old browsers (IE), or restricted apps that can’t do anything. Of course in both cases that would also mean no VPN for those that need it.
By hamsah on 05.29.15 8:51am