Skip to main content

Hacker obtains data on thousands of VPN users

Hacker Typing
(Image credit: Shutterstock)

A hacker has managed to steal the entire contents of a VPN provider's website server and they are currently in the process of trying to sell thousands of user records on a popular hacker forum.

As reported by the privacy-focused review site PrivacySharks, the no-logs VPN service LimeVPN has fallen victim to a massive data breach that puts more than 69,000 users of its service at risk.  A hacker who goes by the handle 'slashx' recently posted on RaidForums advertising the fact that they had obtained LimeVPN's entire database and wanted to sell it for $400 in Bitcoin. 

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. 

This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.

>> Click here to start the survey in a new window <<

PrivacySharks then contacted slashx to learn more about the breach and its researchers discovered that the scraped data from the VPN provider's website includes records from its WHMCS billing system as well as account details including usernames, email addresses and passwords.

The hacker also told PrivacySharks that they are in possession of the private keys of every LimeVPN user which means they can easily decrypt each user's traffic.

LimeVPN data breach

In order to gain new customers and retain their current customers, VPN providers must reassure users that their data will remain private and secure when using their services. In this instance though, LimeVPN's image is now in question as the company had its entire database scraped as the result of a security breach.

At the same time though, LimeVPN's no-logs policy will also likely face additional scrutiny because if the company didn't keep logs on its users, then why was a hacker able to obtain them from its site. This is why ExpressVPN, NordVPN and many of the other top VPN providers in the industry have undergone independent audits to backup the claims of their no logging policies.

Just as PrivacySharks reached out to LimeVPN for a comment on its recent data breach, so too did TechRadar Pro and we were also unsuccessful at getting in touch with someone from the company. Additionally, in the time since PrivacySharks published its blog post on the matter, LimeVPN's website went down and slashx is now selling the company's entire website backup at a much higher price.

While contacting LimeVPN may have been an option for the company's customers at the onset of the breach, PrivacySharks now recommends that users change their passwords, order a new credit card and consider investing in identity theft protection.

We'll likely hear more regarding this data breach once LimeVPN releases an official statement on the matter which could take some time as the company's site is still down at the time of writing.

Via PrivacySharks

Anthony Spadafora

After living and working in South Korea for seven years, Anthony now resides in Houston, Texas where he writes about a variety of technology topics for ITProPortal and TechRadar. He has been a tech enthusiast for as long as he can remember and has spent countless hours researching and tinkering with PCs, mobile phones and game consoles.