Cybersecurity firm Trend Micro Inc. today warned users of popular free virtual private network provider HolaVPN to stop using the service because it presents a range of highly unacceptable security risks.

Founded in 2007, HolaVPN pitches itself as a “community” peer-to-peer VPN service in which its users act as exit points for other users.

It’s difficult to estimate just how many users it has, but the Android app for the service alone has more than 10 million downloads and a million reviews. Some sites suggest it may have fewer than 10 million users, but others suggest that it has 175 million or more users worldwide.

In any case, every one of its users is at risk, according to the Trend Micro security researchers. The data sent over HolaVPN is said to be unencrypted, meaning it can be easily intercepted. Worse yet, HolaVPN makes its money selling access to its VPN network, meaning that users could and have seen their computers and phones used in botnet and spam campaigns.

In addition to privacy and malware risks, HolaVPN users were also found to be subjected to a variety of annoying and possibly misleading messages inserted by Luminati, the services’ parent company.

“Trend Micro’s decision to flag up HolaVPN as malware on its antivirus software is a step in the right direction for consumers,” Ray Walsh, a data privacy expert at BestVPN.com, told SiliconANGLE. “The risks posed by HolaVPN for its subscribers are severe, which is why HolaVPN is rightly considered the most dangerous VPN in the world.”

That lack of encryption, he added, means consumers have a false sense of security. “Privacy with HolaVPN is basically nonexistent, which means that consumers are getting none of the benefits that a VPN is supposed to provide,” he said. “What’s more, by permitting fellow HolaVPN users to connect to their computer, subscribers are potentially opening their IP address to use by cybercriminals, hackers and much worse.”

Walsh noted that the privacy policy says HolaVPN sells people’s data and browsing habits to outside companies, including frequently passing their email addresses to advertisers and to Luminati. “Furthermore, Hola was found to be fraudulently stealing and reselling user bandwidth, basically turning HolaVPN users computers into a botnet,” he said. “And, in addition to a complete lack of encryption, Hola was found to have both DNS and WebRTC leaks — further destroying its purpose as a privacy service.”

Image: Hola