← All Articles

VPN Data Breaches, Leaks, and Security Risks: Essential Guide for Users

VPNs are designed to protect privacy, yet the companies behind them are not immune to breaches, leaks, and internal failures. When a VPN provider mishandles data or suffers a security incident, the consequences can expose users to tracking, identity theft, or legal risk. Understanding how VPN breaches happen, what data is actually at stake, and which warning signs matter most is essential before trusting any provider. This article breaks down real cases, root causes, and practical ways to reduce exposure.

Kasparas Kucinskas
Kasparas Kucinskas
23 min read
VPN Data Breaches, Leaks, and Security Risks: Essential Guide for Users
Key takeaways
  • VPN data breaches and company data leaks differ in intent, but both can expose sensitive user information with long-term consequences.
  • Weak server security, poor no-logs enforcement, and social engineering are the most common causes of VPN related incidents.
  • Free VPNs are disproportionately affected by breaches and leaks due to aggressive data collection and weak security practices.
  • Choosing providers with minimal data retention, strong transparency, and decentralized architecture significantly reduces risk.

Nobody is perfect - everyone, including cybersecurity tools like VPNs, can and do fall victim to data breaches and leaks. Successful data breaches take meticulous work, and highly skilled hackers spend months looking for weaknesses to exploit. Company data leaks, on the other hand, can be accidental and involve unsecured databases, or part of a deliberate strategy to leak customer data for financial or other gain.

New VPN company data leaks are reported once or twice every year, (with 2024 being a welcome exception, no leaks were reported this year) while VPN data breaches have only happened a few times since they came into the mainstream. One VPN service has fallen victim to both the two biggest company data leaks and a breach known publicly - SuperVPN. In July 2020, VPNMentor found a database belonging to 7 VPNs, SuperVPN included, containing extremely sensitive data of over 20 million users. While in February 2021, CyberNews wrote that a huge database with data connected to another 21 million users was hacked and sold online. The victims of this hack were three: SuperVPN, GeckoVPN, and ChatVPN. Two years later, in May 2023, VPNMentor reported another unprotected database with 360 million records also belonging to SuperVPN.

Continue reading if you want to learn more about what VPN company data breaches and leaks are and their most notable cases known. You will also understand what are the possible consequences of getting your data leaked and learn how to protect yourself from such a thing happening in the future.

What is a VPN data breach and how does it work?

A VPN data breach occurs when unauthorized individuals access sensitive data, infrastructure, or communications handled by a Virtual Private Network provider. They are a result of illegal actions against a company, aimed at its technical vulnerabilities or taking advantage of human error. This act can also compromise the privacy, security, and integrity of users’ internet activities, which the VPN is supposed to protect.

Company data breaches can be broken down into several most common types:

  • Network-based attacks. These go after a VPN’s servers, trying to exploit weak spots in systems or protocols. Think denial-of-service or man-in-the-middle attacks or attempts to take advantage of unpatched systems. The good news is that solid VPN providers have strong defenses in place, so pulling off these kinds of attacks is a very rare occurrence.
  • Brute force attacks. These attacks try to take advantage of simple passwords by trying to enter thousands of possible combinations with the hope of getting lucky. As VPNs usually have a higher security standard than an average company, a successful brute-force attack on a VPN company is highly unlikely.
  • Stolen data. Sensitive user or company data could be simply stolen, by physically taking away a computer, hard drive, or a mobile device. This is even more relevant nowadays, with the post-COVID remote work culture meaning employees can be scattered all around the world, not just in a singular, secured building. Pew Research suggests that 35% of all employees based in the US that can work at home do so all of the time.
  • Downloaded malware. Company employees could accidentally download malware into their computers that could delete or simply steal important data. There are numerous types of malware meant for different purposes, not just stealing data.
  • Phishing (and other types of social engineering). Phishing is a technique of making fake websites, emails or text messages appear legitimate to trick users into sharing their personal info: logins or payment details. Social engineering, on the other hand, is a wider practice of tricking people even in the real world. A hacker might send a mass email to all employees of a VPN company, posing as an external customer support manager wanting to reconfirm existing passwords. As it only takes one employee to believe the ruse, such attacks are quite common.

All of these breach types can be combined together into a complex hack strategy. For example, a physical device might be stolen to put keylogger software into it and then returned, just like you would see in a spy movie. Such software is used to track the text entered using the device’s keyboard. Even though this is not the exact same scenario, hackers breached the popular retailer Target by stealing the login info of a supplier - an HVAC company, since their systems were connected. Target’s customer database was breached and payment card numbers were stolen in 2014, as noted by Campus Guard.

Differences between a VPN data breach and a company data leak

A data breach is a security incident where an unauthorized party deliberately gains access to sensitive data. Think of it as a break-in where the intruder picks the lock, sneaks inside, and takes whatever valuable information they can find. Breaches often involve skilled hackers exploiting software vulnerabilities, infiltrating servers, or using phishing attacks to bypass security measures. A company data leak, on the other hand, happens when sensitive data becomes publicly accessible due to poor security practices, user errors, or bad intentions by the data holder. There is usually no external intrusion involved - it’s more like accidentally leaving the back door wide open. It’s also possible, however, that the company you trusted your data with has decided to secretly sell it or share it with third parties, which can also be considered a data leak.

Methods and examples

Data breaches often involve sophisticated attack methods executed by skilled hackers. They can be targeted attacks on a specific entity or broader intrusions affecting multiple organizations. For example, in 2018 a well-established VPN company NordVPN fell victim to a hacker attack executed through a poorly secured remote access account left active by the owners of a server the provider rents, as reported in their own press release.

Company data leaks, by contrast, occur through accidental or intended data exposure. Such leaks can be caused by misconfigured databases, unsecured APIs, a desire for ad revenue, or government subpoenas. For instance, Cybernews discovered an accidentally unsecured database containing 25 million data records belonging to BeanVPN and reported it in a 2022 article.

When it comes to government intervention, law enforcement agencies sometimes request VPNs in their legal jurisdiction to hand over data (logs) of their customers, which can be classified as a very specific company data leak. In 2017, the FBI accessed the data of a PureVPN user with the provider’s consent, according to official court documents.

Impact

Both data breaches and company data leaks can have severe consequences, but the intent and execution make their impact slightly different. Breaches, being intentional, are often more targeted and can involve data theft, ransomware, or sabotage, depending on the attackers’ motives. The victims may face data manipulation, identity theft, or exposure of highly sensitive information. Breaches are carried out with the intent of doing something with the information found.

Company data leaks are less about malicious intent and more about internal policies or negligence. While the data exposed is just as sensitive, the lack of active “attacker engagement” may provide some relief. Still, once the data is out in the wild, bad actors can pounce on the opportunity, leading to unintended consequences such as data scraping, mass identity theft, an increased amount of spam messages, or cyber scams. Data sold to advertisers means that victims would also receive more targeted ads, while lawbreakers whose data is handed over to authorities would face more significant evidence in court.

Most common reasons for a VPN data breach

While VPNs are designed to offer a safe passage for your internet traffic, breaches occur when vulnerabilities in their own systems are exposed. These may range from weak data handling practices such as poorly secured servers to failures in enforcing a true no-logs policy. These are the most common reasons for VPN data breaches:

  • Missing no-logs policy. You cannot lose data that you don’t keep. If a VPN does not have a no-logs policy (a promise to keep as little user data as technically possible), or they’re sloppy about enforcing it, your data is at risk of being stolen by hackers.
  • Server slip-ups. Poorly configured servers can leave the door open for attackers to sneak in and get their hands on sensitive data. This is especially relevant for VPNs that don’t own their servers and simply rent them, as they don’t have full control over their security.
  • Social engineering. VPNs are operated by people, just like any other company. Therefore, they can also fall victim to social engineering - schemes designed to fool employees into downloading malware or handing over sensitive data such as system logins.
  • Poor data handling practices. Not all data is of the same importance, which makes sense. What makes less sense is when “unimportant” databases are protected poorly or not at all - that’s when they are at the highest risk of being breached.
  • Previous breaches. VPN data breaches do not necessarily involve customer data, but that doesn’t mean they can be ignored. For example, a VPN data breach might only affect VPN server security keys, not customer data. These same keys could then be used to impersonate a server and create a data breach - one where the browsing data of users connected to the server could be observed directly.

Impact of VPN data breaches

When a VPN provider suffers a data breach, the repercussions go far beyond just technical damage - they strike at the heart of customers’ trust, and business reputation, and reveal vulnerabilities in security practices, such as misconfigured servers, or poor internal security practices. Another recurring factor is inadequate enforcement of “no-logs” policies, where customer data meant to be anonymous is in fact stored or improperly deleted.

The information exposed during VPN data breaches can be devastatingly sensitive. Even though the exact data stolen differs on a case-by-case basis, looking at past VPN data breaches and accidental company data leaks, we can see that the most common data types leaked are:

  • Connection time stamps
  • User IDs
  • Original user IP addresses
  • Email addresses
  • Passwords

Together with data loss, a breached company suffers severe damage to trust and credibility. VPN users subscribe with the expectation that their online activity will remain private and secure. When that trust is broken, users often leave en masse, causing a substantial loss of revenue and tarnishing the brand’s reputation. In the U.S., a whopping 83% of people say they’d stop spending money at a business for a few months right after a security breach, a 2019 survey by PCI Pal found. Even more striking? Over 20% claim they’d never go back at all. These numbers might even be higher for a VPN since information security is the very reason customers buy these tools.

Beyond this, legal problems can arise if the company operates in jurisdictions with strong data protection laws, potentially leading to fines or legal action. For example, in 2017, Uber settled a class-action lawsuit with affected customers after a data breach, paying $148 million, according to the US Department of Justice.

A history of all significant VPN data breaches

2021: SuperVPN, GeckoVPN, ChatVPN

The situation

In 2021, hackers breached the systems of three free VPN services: SuperVPN, GeckoVPN, and ChatVPN, according to CyberNews. This attack led to the theft of a massive trove of user data, putting the security and privacy of millions of users in jeopardy. Initially, the stolen data was advertised for sale on a prominent hacker marketplace. However, in May 2022, around 10 GB of this stolen data was leaked for free on Telegram, further amplifying the risks for affected users.

The data was stolen when cybercriminals exploited the VPNs’ failure to change default database credentials and lack of encryption, allowing them easy, unrestricted access to sensitive user data stored on their servers.

Data stolen

The incident exposed deeply personal information belonging to over 21 million users. This included:

  • Usernames
  • Full names
  • Country details
  • Billing information
  • Email addresses
  • Passwords
  • Premium membership status and validity periods

The exposure of this data opens the door for a wide range of criminal activities, from targeted phishing attacks to identity theft and financial fraud. Since the data includes real names, country details, and billing information, criminals have the potential to craft highly personalized scams, making them especially deceptive and hard to spot.

VPN’s response

The VPNs involved in this data breach had no response that has been publicly documented. Seemingly no security improvements or proactive notifications were made to warn users about risks or next steps, undermining the potentially devastating impact of the breach on users’ trust and privacy.

2021: Pulse Secure VPN

The situation

Hackers, suspected of being tied to China, exploited vulnerabilities in Pulse Secure VPN appliances. The attacks targeted at least five US government agencies, together with defense contractors, and financial institutions in the US and Europe alike. Investigators have linked some of the activity to China’s APT5 group, but other actors may also have been involved, as reported by CNN.

Data stolen

The attackers gained direct access to victim organizations, heightening risks of espionage, fraud, or further cyberattacks. They stole sensitive data, including account credentials, although the whole scale of the theft is unclear.

VPN’s response

Pulse Secure and its parent company Ivanti, in collaboration with forensic experts and industry groups, conducted a thorough investigation into the breaches. They issued direct mitigation guidance for impacted customers and provided a tool to help users self-detect signs of compromise, outlined in their own press release. The VPN’s active response to this incident could be considered an excellent example of dealing with a data breach, even though there wasn’t much transparency as to what data was stolen or how many victims were affected.

2018: NordVPN, TorGuard, VikingVPN

The situation In October 2019, it was revealed that three VPN providers (NordVPN, TorGuard, and VikingVPN) experienced security breaches connected to a rental server based in Finland. All three VPNs were using the services of the same data center. The NordVPN breach occurred sometime between January 31 and March 5, 2018, when an attacker took over a remote management account left active by the data center. TorGuard, on the other hand, initially attributed the incident to a September 2017 vulnerability, but leaked evidence dated the attack to May 3, 2018, coinciding with an 8chan discussion that exposed hacked server details. Almost nothing is known about the VikingVPN breach, but it happened on the same day as TorGuard’s.

Data stolen

NordVPN: ​​​The attacker acquired Transport Layer Security (TLS) keys, which could have enabled phishing or spoofing attacks via fake NordVPN websites. These keys only expired in October 2018, around half a year later after the breach. There was no evidence that user credentials or encrypted traffic were accessed. The attackers may have observed the encrypted and anonymized connections of up to 200 users.

TorGuard and VikingVPN: Exposed server data included configuration files, private keys, and session details. TorGuard stated that VPN or proxy traffic was not affected and denied any threat to other servers. VikingVPN’s response remains unclear.

VPN’s response

NordVPN: NordVPN was quite late to publicly address the situation, as they only released a comment on October 21, 2019, a day after the breach was exposed on Twitter by the user @Hexdefined. The company, however, was aware of the breach back in April 2019 (meaning the official response came a year and a half after the incident). The response was delayed because they had launched an internal security audit. In their own words, they chose to: “not notify the public until we could be sure that such an attack could not be replicated anywhere else on our infrastructure.” This comes from their official press release on October 21, 2019. However, in terms of actions taken, their response could be considered exemplary. Here’s a drill down:

  • Stopped all ties with the Finnish data center.
  • Launched an internal audit of its 5,000+ servers.
  • Partnered with VerSprite for penetration testing, source code reviews, and intrusion handling. According to a report by the VPN, 17 bugs were found and squashed.
  • Introduced a bug bounty program to encourage reporting of vulnerabilities.
  • Made their vendor policy stricter.
  • Committed to a third-party security audit in 2020, covering hardware, software, and internal procedures. However, the only public evidence of a subsequent action is a 2020 external audit on their no-logs claim by PwC, outlined in their blog post.
  • Started the transition to a RAM-only server architecture, ensuring no locally stored data could be accessed. These servers are also called “colocated”, which means fully owned and set up by the VPN company, as per NordVPN’s article.
  • Offered refunds to users dissatisfied with the breach.

TorGuard: The VPN said that they received news of the breach in May 2019, after being contacted directly by NordVPN, according to their own blog. Interestingly enough, they then chose to sue NordVPN for “plotting against them, hacking their servers, launching a DDoS attack against them on Black Friday, and physically intimidating someone”. This quote comes from a NordVPN account of the situation, which provides significantly more detail. From TorGuard’s point of view, which is not available anymore and is only accessible using the Internet Wayback Machine, the VPN claims that NordVPN threatened to publicize the breach if TorGuard’s affiliate didn’t remove negative comments about NordVPN. NordVPN’s representative reportedly physically showed up at a TorGuard employee’s residence. Whatever the truth may be, the case was dismissed by the court.

TorGuard claims that the breach was due to internal mismanagement, not an external compromise. In addition, they said that “TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident” in the blog post mentioned above. They have ceased cooperating with the affected Finnish data center and reissued their TLS certificates.

TorGuard had claimed to not be able to share more information on the breach due to legal proceedings but never issued further comments after the case was dismissed.

VikingVPN: VikingVPN has not addressed the issue publicly, therefore, their response is unknown.

The data breaches mentioned above were the consequences of deliberate hacks. Company data leaks, on the other hand, are often discovered because of data holder negligence - but that doesn’t mean they are less impactful to their victims.

The biggest VPN company data leaks

  1. 7 free VPNs: Over 1 billion records unsecured in 2020. VPNMentor found an unsecured database shared by 7 VPNs: UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN. The database contained extremely sensitive information: “Activity logs, PII (names, emails, home address), cleartext passwords, Bitcoin payment information, support messages, personal device information, tech specs, account info, direct Paypal API links”.
  2. Super VPN: 360 million records exposed in 2023. An unsecured database with “user email addresses, original IP addresses, geolocation, and records of servers used”, together with user ID numbers was discovered by VPN Mentor. The records might also be related to other services: Storm VPN, Luna VPN, Radar VPN, Rocket VPN, and Ghost VPN.
  3. BeanVPN: 25 million records discovered in 2022. CyberNews found an unsecured database containing “user device and Play Service IDs, Internet Protocol addresses (IPs), and connection timestamps, among other diagnostic information”, that could be used to de-anonymize users.
  4. Hotspot Shield: user data logged and sold to advertisers. A 2017 complaint filed by the Center for Democracy and Technology claimed that Hotspot Shield, a free VPN service, logs their users’ location and IP addresses, unique device identifiers, and browsing information. They then cooperate with advertisers for financial benefit. The number of affected users is unknown, as the VPN does not share the amount of clients it has.
  5. Windscribe: unencrypted servers seized by Ukrainian authorities in 2021. ArsTechnica reported that the server certificate and its private key seized could have been used to set up a fake Windscribe server and track the traffic passing through it. The amount of users affected or other data that the servers contained is unknown.

VPN security risks and vulnerabilities

VPNs come with their own security risks and vulnerabilities that could lead to data breaches or leaks. The most common issues include DNS and IP leaks, which expose your browsing activity and location despite the VPN being active, VPNs failing to properly secure their databases, as well as the use of outdated or weak protocols, leaving user connections susceptible to decryption.

Free or low-quality VPNs are the most common offenders here, as they skimp on the necessary tech or even try to monetize your data by selling it to third parties.

In addition, using VPNs on unsecured or public networks could lead you to fake websites if the VPN provider doesn’t have its own DNS servers. You could also still fall victim to phishing or malware attacks, as VPNs are not a security tool that protects you from everything.

Ultimately, a VPN won’t protect you if the service itself lacks critical security features, making it essential to choose a reliable provider with high-security standards to avoid becoming a victim of data breaches and leaks.

Most vulnerable VPNs

The VPNs that are most vulnerable to data breaches and company data leaks often share one feature - they are free to use. Undeniably the worst offender here could be considered Super VPN, which we mentioned before as a free Android VPN with a fake no-logs policy that has fallen victim to a massive user data leak in 2020, a breach in 2021, and another leak in 2023. Even if a free VPN isn’t outright hacked, they still often share user data with third parties for financial gain - we strongly advise you to avoid them altogether.

With that in mind, we wouldn’t put all of the providers that have been breached once in the same category of most vulnerable VPNs. Companies have the right to learn and improve their services as long as it’s clear that their mistakes were just that and don’t indicate significant ineptitude or malice. NordVPN for example, showed an excellent response mechanism to their 2019 breach, with clear steps taken to improve the security of their service.

So how should you choose a VPN that isn’t likely to let you down? We provide steps you can take in the next paragraph.

How to know if your VPN is vulnerable?

No matter if you are a personal or an enterprise VPN user, the steps to finding out if your VPN is vulnerable are the same. Number one is to do your due diligence. Start by searching the web with the name of the VPN and the words “data leak”, “data breach” or “is it safe” attached. If there has been a major scandal involving your VPN, you will surely find news articles talking about it. If the only thing you can find are forum posts by concerned users, this doesn’t necessarily mean it’s a deal breaker, but more research is needed.

Secondly, read the privacy policy. Look for promises of a no-logs policy and see exactly what data the VPN stores, and how it’s handled. Does the VPN collect data unnecessary for operations? Does it share that data with anyone else?

Just in case, check the VPN protocols and encryption algorithms used. For VPN protocols, one of these should be used:

  • OpenVPN
  • L2TP/IPsec
  • IKEv2/IPSec
  • WireGuard
  • SoftEther

For encryption, either the AES-256 or ChaCha20 algorithms should be in play.

This, of course, directly indicates whether your service protects your connection properly according to today’s standards. If it doesn’t, that shows a clear red flag, which might also mean their customer data handling methods are to be wary of.

Finally, if you have any friends or colleagues who work with cyber security - ask them. Even though they might not know the ins and outs of your VPN by heart, they will know where and what to look for when helping you out. If you don’t have anyone to ask, go for a popular decentralized VPN such as PortalsVPN - dVPNs are safer than centralized VPNs in general.

Consequences for users affected by data breaches or company data leaks

Depending on how much and what types of data were leaked/breached, the consequences of such an incident can be devastating to the victims. Firstly, the chilling fear of further incidents, a feeling of insecurity, and loss of trust in the data holder and other similar services also can’t be understated, even if it cannot be expressed in monetary terms.

Loss of privacy is another important consequence, as people generally think that they can control with whom they share their personal information such as birth date, purchases, or internet browsing habits. After a company data leak or breach, that control is lost, as an unidentifiable number of bad actors can now see people’s private data they would not share otherwise.

If user browsing activity records fall into the wrong hands, they could be used for blackmail and extortion: asking victims for money so the records would not get publicized if illegal or shameful activity was recorded.

Legal trouble is another consequence of stolen browsing records. If made public, citizens and residents of countries where VPNs themselves or certain web activities (such as using social networks) are illegal could face prosecution and arrest for breaking local laws.

Finally, another damaging consequence of data breaches and leaks is identity theft. BigID indicates that 57% of data breaches result in identity theft, according to 2021 research by the Identity Theft Resource Center. Examples include opening financial accounts in the victims’ name (taking out loans, for example), accessing existing accounts, using the data stolen to set up convincing phishing schemes, or online shopping fraud.

The more information a user provides to a particular service, the more they are at risk of getting their personal information abused for further crimes.

How to protect yourself from data breaches and company data leaks?

Nowadays, navigating the internet with all of its benefits and risks is complicated. It’s truly upsetting when a VPN, a tool designed to protect you from bad actors on the web, can leak your personal data, leading to potentially disastrous consequences.

We advise you to follow these steps to protect yourself from future VPN data breaches, company data leaks and reduce their consequences:

  • Share only the information you have to
  • Do research about the services you use and their reliability
  • Opt for VPNs with RAM-only servers
  • Limit reusing passwords
  • Use disposable bank cards when paying

If all of this seems too complicated for you - simply choosing a dVPN instead of the centralized alternative is a step with 80% of the results, but only 20% of the effort. dVPNs are safer than centralized VPNs because their decentralized infrastructure doesn’t allow the service to collect and keep as much data about you. In addition, their residential IP addresses allow you to surf the web more freely as well, as you look like a regular internet user to curious third parties.

Frequently Asked Questions

Is a decentralized VPN safe?

A reliable decentralized private network is generally considered to be safer than a centralized VPN. The distributed architecture is designed to minimize single points of attack that malicious actors could use to intercept your data. It is also intended to make it technically very difficult for decentralized VPNs to collect logs. This design aims to reduce the need to rely solely on the VPN provider’s assurance that your data isn’t being collected or sold.

Are decentralized VPNs better than centralized VPNs?

A dVPN (or DPN depending on who you ask) is designed to offer enhanced privacy and security, aiming to be more resilient to censorship and cyber threats. They strive to provide superior anonymity and make it more difficult for entities to track or block your traffic. However, dVPNs currently lack the extensive outreach and advertising budgets that centralized solutions possess. This means that, despite the dVPN’s potential benefits, the technology isn’t as widely known as centralized VPNs. As the shift towards a decentralized web continues, this is expected to change as more people recognize the advantages of switching to dVPN solutions.

Is there a free decentralized VPN?

Yes, there are several free decentralized VPNs available. However, a free dVPN doesn’t always equate to the best option. All dVPNs require funds to make the network faster and more reliable for users. This means free dVPNs without a subscription package might need to find alternative ways to cover costs, which could include ads or, in some cases, selling user data. In some instances, they might share your IP with other users or transfer data through your device without your consent. By paying a small subscription fee, you can access a dVPN that aims to offer security by default, as well as superior performance and a more reliable service. Additionally, you’ll be supporting the future development of the decentralized web.