If you look up “can a VPN be hacked” right now, you’ll likely see mention of NordVPN being hacked. While everybody in the security community was alarmed at the time, the incident was blown way out of proportion.
Yes, it sounds bad when you just say “a VPN was hacked!” without knowing any of the details. To draw an analogy, it’s as if a criminal obtained a key to your apartment. Except you changed the locks like a year ago and that key no longer works. Moreover, the criminal couldn’t access your apartment complex anyway.
People were making it out as if the criminal found the key to the complex itself, and could open every resident’s door with it. That simply wasn’t the case.
However, people were rightfully unhappy with how NordVPN handled things. They only announced the breach had happened six months after they found out about it. Furthermore, they only discovered it a full year after the fact.
This brought the security of VPNs into question for many users. While it’s true that VPNs aren’t infallible (so yes, they can be hacked), we aim to offer concrete solutions to level up your security.
- Can a VPN Be Hacked “the Normal Way”?
- Can You Be Hacked When Using a VPN?
- Can a VPN Hack Your Phone?
- Can a VPN Be Tracked?
- Does a VPN Protect Your Data When It’s Hacked?
- Are There VPNs That Cannot Be Hacked?
- So VPNs Can Be Hacked – What Can I Do?
Can a VPN Be Hacked “the Normal Way”?
People have a pretty sci-fi mental image of what hacking is about, even though the 80’s (where this imagery all began) were like 40 years ago. Show of hands: who’s familiar with the expression “hacking into the mainframe”?
While it’s true that mainframes are considered pretty outdated by today’s standards, quite a few companies still use them. In fact, IBM just released a new model last year. These massive machines act as powerful main servers and can handle billions of web transactions every day.
If a hacker managed to breach a mainframe, it would be just as bad as the movies portray it – for the company, at least. As for actual wide-scale “hacking” events that have dramatic effects, take a look at what ransomware can do to an entire city.
But let’s get back on topic. Can a VPN be hacked through the company’s mainframe? Well, most – if not all – VPNs nowadays rely on data centers (also known as server farms) rather than mainframes for their operations. Why? It’s up to opinion, but here are a few good reasons.
On the cybersecurity side of things, however, data centers are only as secure as the company that handles them. This is why NordVPN terminated their contract with the data center that got breached and promised to improve their vetting practices in the future.
And once again, nothing of import was exposed in the incident. As the NordVPN spokesperson mentioned:
[…] none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.
As long as you have a VPN that doesn’t log your data, cyber attackers shouldn’t be able to find anything of value in such a direct attack.
VPN Security Flaws
Like any other piece of software, VPN clients are subject to security holes that can be exploited by cyber attackers. In April 2019, multiple enterprise VPNs were found to be storing user data insecurely.
VPN software from Cisco, F5 Networks, Palo Alto Networks, and Pulse Secure would store authentication cookie data in unencrypted memory logs on user systems. In plain English, that’s basically “the VPNs stored users’ logins on their computers.” Luckily, these companies were made aware of the flaw by a cybersecurity research team, rather than waking up to stolen login credentials.
You can’t really do much to prevent such issues, other than keeping your VPN client up-to-date with the latest security fixes. Naturally, choosing the best VPN service with a great track record can help immensely.
Can You Be Hacked When Using a VPN?
VPNs have security research teams working around the clock to find any security issues before they become a problem (as seen above). But what if a hacker specifically targets you? What can a hacker do to compromise your data while using a VPN? See below.
1. Brute-force Attacks
VPN encryption uses complex mathematics to turn your network activity into gibberish for any outsiders trying to snoop in. The only way a hacker could see what you’re doing is to break the encryption or find the necessary decryption key to “unlock” your communications.
How secure are encryption protocols nowadays? Well, it would take the fastest supercomputer in the world millions of years to find the right key through a brute-force attack (i.e. using automation to try out all the possible combinations).
And that’s only factoring in the AES-256 bit protocol, the strongest commercially available one in VPNs today. There are stronger algorithms available – but suffice to say, your VPN isn’t getting hacked this way any time soon.
Obviously, if your main concern is security, you should stick to the strongest encryption. Don’t use weak VPN encryption protocols like PPTP, which can be cracked by the NSA within minutes.
Now, there are a couple of other ways your VPN could get “hacked” – in the sense that it could lead to your credentials being stolen. Both of them involve a bit of social engineering on the cyber attacker’s part.
Ever gotten a suspicious and spammy looking email that seemed to be from PayPal, your bank, or some other important service? Then you’ve already seen what a phishing email looks like.
Basically, cyber attackers pose as these services and try to get you to insert your login details into their fake, but authentic-looking websites. Naturally, you won’t be able to log in to the actual service – but your credentials end up in the hands of the hackers.
Can a VPN be hacked this way? If your attacker poses as your VPN service, absolutely. For example, you could receive an email saying that there was a problem processing your subscription. All you need to do is “log in to your account” to correct the problem.
Nowadays, hackers do quite a bit of research on their targets before launching a phishing attack. They may use personal information gathered from elsewhere (like social media) to make the emails as believable as can be.
What can you do about it? Here’s an in-depth guide to phishing you can check out for everything regarding the subject – including how to protect yourself effectively and where to report suspected phishing.
Malware is a problem in itself – with almost 10 billion attacks detected in 2019 alone. But ransomware is in a league of its own, as we’ve mentioned above. These days, it’s not uncommon to hear entire cities being shut down because of ransomware.
This subtype of malware can encrypt your system data, making it inaccessible without the correct decryption key. If that sounds familiar, that’s because VPN encryption works pretty much the same way. Except it does so for the good guys, and is restricted to data that passes through your network.
Phishing scams are the most common way ransomware could make its way onto your system. You open an email attachment that looks like it comes from your bank. The next thing you know, your entire hard drive is encrypted and someone is asking for a Bitcoin ransom.
Another way your device could get infected is through security exploits. In 2016, the New York Times, the BBC, the NFL, and other major websites were affected by a type of ransomware that was embedded in their ads. According to Malwarebytes, people didn’t even have to click on the ads for their devices to be infected.
Unfortunately, VPNs can’t help in these scenarios. Your best bet is to always keep your software up-to-date and be mindful of phishing tactics. Consider getting some decent anti-malware as well.
Take a look at these coronavirus scams that have been making the rounds, too; just to get an idea of what you’re up against.
Can a VPN Hack Your Phone?
According to our research, this is something people actually look up – so let’s set the record straight.
Now, a normal VPN isn’t a hacking tool. However, if you don’t research your provider beforehand, you may end up downloading a VPN that’s infected with malware. Needless to say, you’re putting all your sensitive data at risk by doing so.
Mind you, these aren’t just small providers with barely any users. In 2019, the malicious Android VPNs clocked in 518 million total downloads. Meanwhile, the App Store VPNs totaled six million monthly downloads during the same period.
Can a VPN Be Tracked?
First off, your VPN provider can see everything you do, just like your ISP would if you weren’t using a VPN. That’s why it’s important to choose a trusty provider, with a tried and tested no-logging policy.
Of course, that doesn’t mean outsiders (such as hackers or your ISP) can see what you do online. For example, your ISP can only tell that you’re using a VPN, and how much data you’re exchanging with the VPN server.
If you use an enterprise VPN, your employer might also be able to see your online activities. Don’t expect to watch Netflix with the company VPN and not have your boss know about it.
Now, if your VPN isn’t correctly set up, you may experience IP leaks that could tip off whoever is trying to monitor your traffic. We go into more depth in our guide, “Can VPNs Be Monitored?” Make sure to check that out for the details, as well as great ways to protect yourself.
Does a VPN Protect Your Data When It’s Hacked?
As you’ve seen, the cyber attacker from the NordVPN hacking incident didn’t get their hands on any useful data. Despite NordVPN’s glaring oversight, their users’ data remained safe due to how they handle everything else (such as not sending credentials in a way they can be intercepted).
Still, what if the hacker gets their hands on the decryption key mentioned before? Wouldn’t your data be exposed then? Many VPN providers have thought about that scenario and implemented something called Perfect Forward Secrecy (PFS).
Without getting into the technical details, PFS basically ensures that only a small portion of your data would be compromised in such a hacking incident. Why? Because VPNs that implement PFS change their decryption key for every VPN session (i.e. anytime you log on).
Some providers even do it regularly while you’re using the Internet. For instance, ExpressVPN changes theirs every 60 minutes.
Are There VPNs That Cannot Be Hacked?
Unfortunately, no. And providers need to prepare for when quantum decryption comes along in the not-so-distant future. Until then, we can recommend some great providers that have proven themselves virtually hacker-proof.
Check out our list of the best VPNs, where we take a look at six top-notch providers and go over every security feature in detail. Which encryption protocols they support, encryption strength, leak protection, jurisdiction, logging policies, and more.
So VPNs Can Be Hacked – What Can I Do?
To summarize the advice we’ve mentioned throughout the article:
- Research your VPN provider, first and foremost. If you’re unsure about all the technical jargon, take a look at our recommendations or have someone more tech-savvy explain the ins and outs.
- Get a provider with PFS if your threat level has you worried about exposed decryption keys, or NordVPN-like data center incidents.
- Don’t use weak VPN encryption protocols like PPTP.
- Keep all your software up-to-date (including your VPN). You don’t want hackers exploiting any vulnerabilities.
- Be mindful of phishing tactics. Check out the phishing guide we’ve linked to if you haven’t already.
- Use anti-malware (aka antivirus) to protect you from threats other than hacking.
Six relatively easy steps and you’re way ahead of the curve when it comes to data security. Check out our guide on VPN monitoring for even more in-depth tips, that aren’t necessarily tied to hacking.