According to researchers, if the data from the threat actor is legitimate, the VPN companies have been logging more data than what they say they are in their privacy policy. VPNs are typically used to keep the user’s identity private from third parties, which is why when choosing a VPN, users should ensure that the VPN does not log the activities and collect data about them. If someone did use one of the VPNs in question, they should change their password as well as their Google Play randomly generated password. If a client of one of these VPNs paid for a premium subscription, they should also note that payment method and watch it for any fraudulent activity. Anyone configuring a new device or database should ensure that they change the default credentials. Often threat actors will try to login to these accounts with default credentials to prey on the people that do not change them.

More can be read here: https://cybernews.com/security/one-of-the-biggest-android-vpns-hacked-data-of-21-million-users-from-3-android-vpns-put-for-sale-online/?web_view=true