Disclaimer: We have gathered all the information from reliable resources and have compiled it at one stop. If any individual / or company decides to comment on any of these issues, we will publish that as well.
When a VPN provider gets into a data leak, it can seriously undermine users’ trust in the service. Users rely on VPN providers to protect their online privacy and security, and a data leak can expose sensitive information such as browsing history, IP addresses, and login credentials. While it may sound surprising, several top VPN providers are involved in data leak issues or have fake and shady log policies.
Amidst this, whether or not users should trust a VPN provider after a data leak or security breach depends on how the provider responds to the incident. A trustworthy VPN provider should be transparent about the breach, disclose what information was affected, and take steps to prevent similar incidents in the future. This includes promptly patching any vulnerabilities, strengthening security measures, and conducting regular security audits.
Common methods of VPN data leaks
VPN providers can get into data leaks or security breaches in several ways. Some of the most common ways include:
- Server breaches: VPN providers operate multiple servers located in various countries worldwide. Hackers can exploit vulnerabilities in these servers and gain unauthorized access to user data stored on them.
- Some VPNs involved in server breach issues are Windscribe, NordVPN, and VPN.ht.
- Log policy shortcomings: VPN providers that keep logs of user activity, even for a short period, risk exposing this information in case of a data leak or security breach. Even VPN providers that claim to have a no-logs policy may still collect some data that could be used to identify users.
- VPNs with shady log policies are PureVPN, HideMyAss, Hotspot Shield, PIA, UFO, Windscribe, and ZenMate.
- Third-party security breaches: VPN providers often use third-party services like payment processors or hosting providers. If any third-party services suffer a security breach, the VPN provider’s data could also be compromised.
- Some VPNs involved in third-party security breaches are Nord and Windscribe.
Quick Overview Of VPN Providers That Exposed In The Past
Here are some of the popular VPN providers involved in data leaks or have had shady logging policies exposing users’ data in the past. The list highlights all the confirmed and unconfirmed data breaches:
- NordVPN: In 2019, NordVPN disclosed a data breach from the previous year, exposing some of its customers’ data. NordVPN was criticized for not disclosing the breach sooner and for misleading advertising claims about its “no-logs” policy.
- PureVPN – In 2017, PureVPN was found to have provided user logs to the FBI in a cyberstalking case, despite its “zero-log” policy.
- HideMyAss (HMA) – In 2011, HMA provided data logs to law enforcement that led to the arrest of a LulzSec hacker.
- Hotspot Shield – In 2018, a privacy advocacy group filed a complaint with the FTC alleging that Hotspot Shield had been logging user data and sharing it with third parties.
- Private Internet Access (PIA) – In 2015, PIA was accused of logging user data after it was found to have helped the FBI track down a cyberstalker.
- UFO VPN – In 2020, researchers found that UFO VPN had exposed 20 million user logs, including plaintext passwords and IP addresses.
- VPN.ht – In 2015, VPN.ht was hacked, and the attacker leaked the user database, including usernames and passwords.
- Windscribe: In 2018, Windscribe admitted to logging some user data for up to three minutes, which the company claimed was necessary for troubleshooting.
- ZenMate VPN: In 2020, ZenMate VPN was criticized for logging user data, including IP addresses and connection timestamps.
- Hola VPN: In 2015, it was revealed that Hola VPN was using its users’ devices as exit nodes for other users, essentially turning their devices into a botnet. Additionally, Hola VPN was accused of selling user bandwidth to third parties.
- VPN Unlimited: In 2018, VPN Unlimited was found to be leaking user data, including DNS queries, IP addresses, and connection timestamps.
- LimeVPN: In 2021, the VPN was involved in a hacking incident where the VPN’s database containing user information was hacked.
- ExpressVPN: In 2021, reports emerged of ExpressVPN executive Daniel Gericke being involved in a cyber-surveillance incident. Moreover, Kape Technology, a company known to exploit user security, acquired the VPN.
It’s crucial to remember that many VPN providers have a history of logging user data or providing it to authorities. However, most of these VPN providers, after facing outrage from users, have changed their log policies, while some have found more covert ways to continue the practice. It is essential to conduct thorough research on the VPN provider you select, and best rely on a VPN with a third-party log audit report as it validates its log policy.
NordVPN (Inside Story Based on Leak Itself)
In October 2019, NordVPN disclosed a data breach that had occurred in March 2018. According to the company, an attacker accessed one of NordVPN’s servers in Finland by exploiting insecurity in the remote management system, leaving exposed a data center provider. The attacker obtained a private key used to authenticate NordVPN’s TLS connections, which could have allowed the attacker to perform a man-in-the-middle attack and intercept users’ encrypted traffic.
NordVPN stated that it had immediately terminated its contract with the data center provider and performed an extensive audit of its infrastructure. The company also stated that it did not believe any user data was compromised in the breach.
However, NordVPN was criticized for not disclosing the breach sooner and for misleading claims about its “no-logs” policy. The company claimed it did not log user activity or connection metadata. Still, it was later revealed that NordVPN had been logging some user metadata, such as the user’s VPN server choice and the amount of data transferred. NordVPN stated that this data was only used for troubleshooting and was never shared with third parties.
The incident highlighted the importance of transparency and honesty in VPN providers’ marketing and privacy policies. Since the incident, NordVPN has improved its security and privacy practices, such as undergoing an independent security audit and publishing a transparency report.
- NordVPN’s official statement on the incident: https://nordvpn.com/blog/official-response-datacenter-breach/
- TechCrunch article detailing the NordVPN hack: https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/
- Forbes article on the NordVPN hack and its implications for user privacy: https://www.forbes.com/sites/daveywinder/2019/10/23/nordvpn-confirms-it-was-hacked-five-months-ago/?sh=20c441292e15
- ZDNet article on the NordVPN hack and lessons learned for VPN providers: https://www.zdnet.com/article/lessons-learned-from-the-nordvpn-failure/
In 2017, PureVPN was involved in a case in which the company was accused of providing logs to the FBI that was used in a cyberstalking case. According to court documents, an individual in the United States used PureVPN to access a website and send threatening messages anonymously. The FBI obtained a court order to collect information from PureVPN about the individual’s account, and PureVPN provided logs that were used to identify the individual.
At the time, PureVPN claimed a “no-logs” policy and stated that it did not keep any logs of users’ online activity. However, it was later revealed that the company did keep some connection logs, such as the user’s source IP address, the VPN server location, and the connection duration. PureVPN stated that this data was used for troubleshooting and was never shared with third parties.
The incident raised questions about the accuracy of VPN providers’ “no-logs” claims and their ability to protect user privacy truly. Additionally, in 2018, VPN Mentor hired a team of ethical hackers to check PureVPN along with two other popular VPN providers. PureVPN was found leaking the IP address of the users. After this research, PureVPN issued a statement highlighting the patched vulnerability.
Following this incident, PureVPN changed its logging policies and underwent an independent security audit to improve its security and privacy practices.
However, the incident serves as a reminder that VPN users should carefully evaluate VPN providers’ privacy policies and be aware of the limitations of VPN technology in providing complete anonymity and privacy.
- Ars Technica article discussing the PureVPN controversy: https://arstechnica.com/tech-policy/2017/10/vpn-provider-shared-customers-logs-with-authorities-who-used-it-to-track-down-cyberstalker/
- The Register article on the PureVPN controversy: https://www.theregister.co.uk/2017/10/09/purevpn_shares_customer_logs_with_fbi/
- PureVPN’s official statement on the controversy: https://www.purevpn.com/blog/purevpn-statement-on-incident/
HideMyAss (HMA) (Data Leak Story)
In 2011, HideMyAss (HMA) was involved in a case in which the company provided logs to law enforcement that were used to track down a LulzSec hacker. The hacker had used HMA’s VPN service to conceal their online activities. Still, HMA provided connection logs that included the user’s IP address and the VPN server used during the illegal activity. The incident raised questions about HMA’s logging policies and ability to protect user privacy.
Since then, HMA has tried improving its privacy and security practices, such as implementing more robust encryption and undergoing a log audit by Versprite in 2020. According to HMA, the audit “included analyses of data, traffic, and storage on both the client and server-side, and the disconnection of user identities with data containing information about online user activity.” However, after that, the VPN provider has not undergone any more log audits to verify its log policy again.
The incident still serves as a reminder that VPN users should carefully evaluate VPN providers’ privacy policies.
- Ars Technica article discussing the HMA controversy: https://arstechnica.com/tech-policy/2011/09/hidemyass-com-is-a-lying-pile-of-sthole-anonymous-says/
- TechDirt article on the HMA controversy: https://www.techdirt.com/articles/20110923/09552316005/hide-my-ass-proudly-says-it-will-assist-police-hiding-your-ass.shtml
- The Register article on the HMA controversy: https://www.theregister.co.uk/2011/09/26/hide_my_ass_fbi_lulzsec/
Hotspot Shield- log policy controversy.
According to the complaint, Hotspot Shield collected and shared data on users’ browsing habits, device information, and network information with third-party advertisers. The CDT also alleged that Hotspot Shield injected tracking cookies into users’ web browsers to track their online activity, even when not using the VPN service.
According to the independent study, Hotspot Shield VPN was found “to be the fastest and most secure among all consumer and enterprise VPN products.” it then underwent a third-party audit by AV-Test, where the VPN was “reviewed in its different fields of potential uses such as providing privacy, anonymity or virtual different geographical location.” After this, the VPN did not conduct another audit or become part of data breach controversies.
However, the incident raised concerns about VPN providers’ transparency and privacy practices. It highlighted the need for users to carefully evaluate VPN providers’ privacy policies and be aware of the potential risks of using VPN services.
- CDT complaint: https://www.cdt.org/files/pdfs/CDT-Complaint-HTS.pdf
- Hotspot Shield response: https://www.hotspotshield.com/press/CDT-complaint-response/
Private Internet Access (PIA)- parent company security issue.
Private Internet Access (PIA) is a proud name in the VPN industry and is known to provide exceptional security to its users. However, the VPN provider has been a part of some alarming data breach and security issues in the past.
In 2015, PIA was involved in a case in which it was alleged that the company provided user data to law enforcement. The case involved a man using PIA to access and distribute child pornography. The FBI obtained a court order to collect information from PIA about the man’s account, and PIA provided logs that were used to identify the individual. PIA stated that it provided only minimal information that did not compromise user privacy, such as the user’s email address and the date and time of the connection.
In 2016, PIA was again involved in a controversy when a hacker claimed to have breached the company’s systems and obtained user data. PIA denied the claims and stated that no user data had been compromised.
However, in 2019, it was revealed that PIA’s parent company, London Trust Media (LTM), had been acquired by Kape Technologies, a company with a controversial history of data collection and privacy violations. The acquisition raised concerns about the future of PIA’s privacy and security practices, and some users expressed concerns about continuing to use the service.
Despite these incidents, PIA continues to be a popular VPN service with a strong reputation for privacy and security. The company has implemented various measures to protect user privacy, such as a strict no-logs policy and robust encryption protocols.
- PIA statement on 2015 case: https://www.privateinternetaccess.com/blog/2015/07/our-statement-on-the-fbi-allegations/
- PIA statement on 2016 hack: https://www.privateinternetaccess.com/blog/2016/06/pia-is-not-compromised/
- Kape Technologies acquisition of LTM: https://www.businesswire.com/news/home/20190807005447/en/Kape-Technologies-Acquires-London-Trust-Media-Inc.-Parent-Company-of-Private-Internet-Access
UFO VPN- the false no-logs policy claim.
UFO VPN is a relatively new service involved in a data leak incident. In July 2020, it was reported that UFO VPN had left a database containing sensitive user data exposed online without password protection. The database reportedly contained user logs, including session timestamps, user locations, and device information. The logs also included sensitive information such as plain-text passwords and payment information.
The data leak was discovered by a cybersecurity researcher who found the database using the search engine Shodan. The researcher reported the issue to UFO VPN, but the company did not respond or take action to secure the database for several days.
The incident raised concerns about the security practices of UFO VPN and the potential risks of using relatively new VPN services. Users must consider VPN providers’ reputations and track records before entrusting them with sensitive data.
- Report on UFO VPN data leak: https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-leak/
- UFO VPN’s response to the incident: https://www.ufovpn.com/ufocloud.html
VPN.ht- server data leak issue
VPN.ht is a VPN service involved in a data leak incident. In July 2019, it was reported that VPN.ht had left a server exposed online without password protection, allowing anyone to access and download an extensive database of user logs.
The database reportedly contained detailed information about VPN.ht users, including their login credentials, session information, and IP addresses. The logs also included information about the websites and services accessed by users while connected to VPN.ht, potentially revealing sensitive user activity.
The data leak was discovered by a security researcher who found the database using the search engine Shodan. The researcher reported the issue to VPN.ht, but the company did not respond or take action to secure the server for several days.
The incident raised concerns about the security and privacy practices of VPN.ht, highlighting the need for users to carefully evaluate the reputation and track record of VPN providers before entrusting them with sensitive data.
- Report on VPN.ht data leak: https://vpnpro.com/blog/vpn-ht-data-leak/
- VPN.ht’s response to the incident: https://twitter.com/vpnht/status/1151195282454391296
Windscribe- seized unencrypted server story.
Windscribe is a VPN service that has a strong reputation for privacy and security, with a strict no-logs policy and robust encryption protocols.
In 2018, Windscribe did have a minor incident in which a server was misconfigured, potentially exposing some user data. However, the incident was quickly detected and resolved, and there was no evidence that user data had been accessed or compromised.
After that, in 2021, the VPN provider again face a security breach when two of its servers were seized in Ukraine as a part of an investigation. According to Windscribe, the servers were unencrypted despite being hosted by a third party, and on their disk, there was an OpenVPN server certificate and its private key. The incident is particularly alarming for its users, meaning Windscribe does not encrypt all its servers and leaves the user data vulnerable in third-party hands. Due to Windscribe’s mistake, the Ukrainian authorities obtained the VPN’s private key, allowing them to decrypt VPN traffic under certain conditions. Moroever, as explained by Windscribe in a blog post, the mistake allowed Ukrainian authorities to “impersonate a Windscribe VPN server and capture VPN tunnel traffic running through it.”
The incident followed an official apology by Windsccribe and a promise to make amends by using Wireguard as a primary protocol, a resilient authentication backend, new application features, and a security audit. However, as of 2023, the VPN has not yet provided a log audit.
Since the VPN has yet to fulfill its promises following the last data breach incident, people no longer trust the VPN provider entirely.
- Report on Windscribe’s 2018 server incident: https://www.zdnet.com/article/vpn-provider-windscribe-logs-user-data-after-misconfigured-server-exposure/
ZenMate (significant data or log leak incidents)
ZenMate is a VPN service that has not been involved in significant data or log leak incidents. The company has a strong reputation for privacy and security, with a no-logs policy and robust encryption protocols.
However, in 2018, it was reported that a security researcher had discovered a vulnerability in the ZenMate desktop client that could potentially allow an attacker to execute code on a user’s device. The vulnerability was reportedly caused by a lack of input validation in the client’s update mechanism.
ZenMate quickly responded to the report and released a patch to address the vulnerability. The company also issued a statement emphasizing its commitment to security and privacy and assuring users that their data had not been compromised.
While the incident was a cause for concern, it ultimately demonstrated ZenMate’s responsiveness and commitment to maintaining a secure and trustworthy VPN service.
- Report on ZenMate’s 2018 vulnerability: https://www.bleepingcomputer.com/news/security/zenmate-vpn-client-exposes-vulnerability-that-allows-attacker-to-execute-code/
Hola VPN- all security controversies.
Hola VPN is a free VPN service involved in several controversial user privacy and security incidents.
In 2015, it was reported that Hola was selling its users’ idle bandwidth to a commercial service called Luminati, which used it for activities such as botnet attacks and distributed denial of service (DDoS) attacks. This raised severe concerns about the security and privacy implications of using Hola, as users’ devices and internet connections could be used for illegal or malicious activities without their knowledge or consent.
In addition, in 2018, it was reported that Hola had been caught embedding tracking scripts in its browser extension, allowing it to monitor users’ browsing activity and potentially harvest sensitive information such as login credentials and credit card numbers.
As a result of these incidents, Hola’s reputation for privacy and security has been severely damaged, and the company has been widely criticized for its practices. Experts recommend avoiding the use of Hola and choosing a more reputable VPN provider instead.
- Report on Hola’s bandwidth-selling controversy: https://www.dailydot.com/debug/hola-vpn-botnet-sell-bandwidth/
- Report on Hola’s browser extension tracking: https://thebestvpn.com/news/hola-vpn-tracking-users/
- Hola’s response to the tracking allegations: https://hola.org/blog/the_hola_network_on_the_recent_events_regarding_the_hola_network
VPN Unlimited- Bug Reported and Fixed
VPN Unlimited is a VPN service provided by KeepSolid Inc. to provide its users with a secure and private browsing experience. To date, there have been no reports of data or log leak incidents related to the VPN Unlimited service.
However, in 2018, a group of security researchers studied several popular VPN services, including VPN Unlimited, and found that the service was using weak encryption protocols that an attacker could potentially compromise. The researchers recommended that VPN Unlimited improve its encryption protocols to provide better security for its users.
In response to the study, VPN Unlimited released a statement acknowledging the researchers’ findings and committing to improving security measures. The company also stated that it had not detected any security breaches or data leaks in its system.
Overall, while VPN Unlimited has not been involved in any major data or log leak incidents, the service has been identified as having potential security weaknesses that should be addressed.
- Study on VPN services, including VPN Unlimited: https://www.vpnmentor.com/blog/report-most-vpn-services-are-lying-to-you-about-privacy/
CyberGhost- Bug reported and taken care of immediately
There have been no significant data leaks or hacking incidents involving CyberGhost VPN. The VPN is known for its strong privacy and security features, including a strict no-logs policy, and has not been implicated in any major security breaches.
However, in 2019, a group of researchers identified a vulnerability in CyberGhost’s Chrome browser extension that could potentially lead to users’ IP addresses being exposed. CyberGhost was quick to acknowledge the issue and released an updated version of the extension to address the vulnerability. No user data was compromised as a result of this vulnerability.
Overall, while CyberGhost’s response to the 2019 vulnerability demonstrated their commitment to user privacy and security, it is always important to remember that no VPN is completely immune to security issues. It is therefore important to carefully research and choose a reputable VPN provider, and to take other security measures such as using strong passwords and keeping software up to date.
- CyberGhost’s official statement on the vulnerability: https://support.cyberghostvpn.com/hc/en-us/articles/360009787379-CyberGhost-Chrome-Extension-Vulnerability
- The Register article on the vulnerability: https://www.theregister.co.uk/2019/06/24/cyberghost_vpn_chrome_extension_bug/
- TechRadar article on CyberGhost’s response to the vulnerability: https://www.techradar.com/news/cyberghost-vpn-patches-vulnerability-in-its-chrome-extension
IPVanish- Data Leak History
There have been a few instances where IPVanish has been involved in data leaks or user data being exposed. In 2014, it was reported that IPVanish had suffered a security breach that resulted in some user information being leaked. The company stated that only a small number of users were affected and that they had taken steps to prevent similar incidents in the future.
Then again in 2015, a vulnerability was discovered in IPVanish’s software that could potentially allow an attacker to execute code on a user’s computer. The company quickly released a patch to fix the vulnerability, but the incident raised concerns about the security of IPVanish’s software.
Additionally in 2016, it was revealed that IPVanish had provided logs to US law enforcement agencies in a criminal case. This was controversial because IPVanish had advertised itself as a “no-logs” VPN service, meaning that they didn’t keep any records of user activity. The incident raised questions about the truthfulness of IPVanish’s claims and their users’ privacy.
Most recently in February 2020, security researchers discovered a database containing IPVanish user activity logs at VPNMentor. The logs included sensitive information such as user IP addresses, connection timestamps, and other metadata.
These incidents highlight the importance of choosing a trustworthy VPN service and taking steps to protect your online privacy and security. It’s always a good idea to do your research and read reviews from trusted sources before choosing a VPN provider.
- VPNMentor’s report on the 2020 IPVanish data leak: https://www.vpnmentor.com/blog/ipvanish-leak-report/
- The 2016 incident where IPVanish provided logs to US law enforcement: https://torrentfreak.com/ipvanish-no-logging-vpn-led-homeland-security-to-comcast-user-160225/
- The 2015 vulnerability in IPVanish’s software: https://www.theregister.com/2015/05/27/ipvanish_vpn_flaw/
- The 2014 security breach at IPVanish: https://www.vpncompare.co.uk/ipvanish-confirms-user-data-breach/
LimeVPN- Data Leak insights
In early 2021, reports emerged of a data leak involving LimeVPN, a virtual private network (VPN) provider based in Hong Kong. It was alleged that the company’s database containing user information had been hacked and made publicly available on a hacker forum. The leaked data included users’ names, email addresses, and password hashes, among other sensitive information.
LimeVPN acknowledged the incident and claimed that the attack was the result of a vulnerability in an old version of its website that had since been patched. The company also stated that it had notified affected users and urged them to change their passwords.
The incident highlights the importance of using reputable and secure VPN providers and taking steps to protect personal information online. It is also a reminder that even with the best security measures in place, data breaches can still occur.
- ZDNet article: https://www.zdnet.com/article/limevpn-confirms-data-breach/
- BleepingComputer article: https://www.bleepingcomputer.com/news/security/limevpn-confirms-data-breach-after-hacker-posts-stolen-database/
- LimeVPN statement: https://www.limevpn.com/limevpn-database-breach/
ExpressVPN- Daniel Gericke and Kape Technology controversy
Although ExpressVPN is one of the most popular VPN provider available, that promises unexeptional securty, the VPN has been a part of some astounding controversies. In 2021, reports emerged of a cyber-surveillance scandal involving Daniel Gericke, a former US intelligence officer and executive at ExpressVPN. Gericke was accused of helping the United Arab Emirates (UAE) government spy on its citizens by providing them with sophisticated hacking tools. Gericke and two other former US intelligence officers agreed to pay a fine to the US government to resolve the charges.
This scandal has raised concerns about the security and privacy of ExpressVPN’s users. Additionally, in Spetember 2021, ExpressVPN was acquired by Kape Technologies, a company with a history of controversial business practices and a reputation for collecting user data. This has led some to question whether ExpressVPN can still be trusted to protect user privacy.
However, ExpressVPN has stated that it remains committed to its strict no-logging policy and maintaining the privacy of its users. The company undergoes third-party audits every year to confirm its privacy practices. It remains a popular choice among VPN users due to its high level of encryption and user-friendly interface.
- Reuters article on the cyber-surveillance scandal: https://www.reuters.com/technology/exclusive-us-former-intelligence-officers-accused-hacking-emirati-dissidents-2021-09-14/
- The Verge article on the ExpressVPN acquisition: https://www.theverge.com/2018/9/13/17855666/expressvpn-kape-technologies-acquisition-privacy
- ExpressVPN statement on its privacy practices: https://www.expressvpn.com/blog/no-logs-policy-audited-privacy-standards/
Final Words: Can you trust them?
After a VPN provider has been involved in a data leak incident, it is natural for users to question whether they can trust the service to protect their privacy and security going forward. In some cases, VPN providers may take steps to address the causes of the leak, such as improving their security measures or adopting more rigorous privacy policies.
However, in other cases, users may decide that the risk of using a VPN provider that has been involved in a data leak is too high, and choose to switch to a different and more secure VPN. Ultimately, the decision of whether to trust a VPN provider after a data leak incident is a personal one, and should be based on a careful evaluation of the provider’s security measures and track record, as well as the user’s own risk tolerance and privacy needs.