VPN, or Virtual Private Networking, is a way to browse the web safely and prevent websites from seeing your general location. But it can be hacked as well, and you are not truly safe when browsing the internet when using a VPN.
I’m Aaron, a lawyer and technology professional/enthusiast with 10+ years of working in cybersecurity and with technology. I personally use a VPN when browsing the web from home and find it to be a great tool to enhance my privacy online.
In this post, I’ll explain why and how VPNs can be hacked and why and how VPN providers can be hacked. I’ll also explain how you can be impacted and what that means for your VPN use.
Table of Contents
- With enough time and attention from cybercriminals, anything can be hacked.
- VPN services can and have been hacked.
- The impacts of a VPN hack can be significant.
- You can still browse safely without a VPN.
What is VPN and Why is VPN Used?
VPN, or Virtual Private Network, is a way for you to hide your identity on the internet. It works by creating a secure connection between your computer or mobile device and a server somewhere in the world. All your internet traffic, then, is routed through that server.
What that means is that for all intents and purposes, the world sees you as that server.
When you visit a website, you request information from that site—or rather, the servers storing that site—and those servers request information from you. Specifically, the site asks: what is your address so I can send you data?
That address is called an IP, or Internet Protocol, address. The site server asks for that data so it can send you the information you need to view the site. This happens every time you click a link, every time you stream video, or every time you listen to music online.
What a VPN server does is creates a secure connection between you and the server. The server then asks for data from websites on your behalf and provides it’s address to those sites. It then relays the information back to you over that secure connection.
Why would you want to do that? Here are a couple of reasons:
- Almost every website nowadays asks for location information. Based on your location and search habits, businesses online can associate your IP address with your actual location and name. You may not want that to happen.
- You cannot access video or music content in your country. Having an IP address based in a different country may circumvent that.
- Many countries have civil legal penalties for peer-to-peer sharing of copyrighted material. Having a different IP address makes it more difficult to associate that activity with an individual. You’ll see later in the article why using VPN for this purpose is a placebo, at best.
Can a VPN Be Hacked?
The best way to answer whether a VPN can be hacked or not is to think about the core components of VPN:
- An application on the computer or in a web browser.
- A connection between the computer/browser and a VPN server.
- The VPN server itself.
- A company that provides and manages the application, connection, and server.
Each element of the VPN connection can be compromised which, in turn, compromises the masking of your IP address. In short: you can be identified as you on the internet.
Some of the ways VPN services can be hacked are:
1. VPN servers log information for diagnostic and security purposes. Some of that information may include the IP addresses of computers connecting to those servers. If a VPN server is compromised, someone can steal those logs and read them, discovering the true online identity of VPN users.
2. Just as VPN servers can be compromised, so can the companies that run them. If those companies maintain log information, that information can be stolen. This happened to NordVPN in 2018, when one of its data centers was compromised.
3. Legitimate law enforcement (e.g. a warrant) and legal process inquiries (e.g. a subpoena) can force disclosure of information gathered by a VPN company.
4. The connection between the computer/browser and the VPN server can be hijacked and redirected to a cybercriminal who is collecting data while passing through requests. That is called a “Man in the Middle Attack.” This is made more difficult by the use of encrypted connections. However, as demonstrated by a series of attacks on NordVPN, TorGuard, and Viking VPN, a threat actor can steal those keys. That would allow them to decrypt the data stream with ease.
5. The source computer/browser can be compromised with malicious code or access to that endpoint. This was revealed to be actively exploited in Pulse Connect Secure, a corporate VPN provider, in early 2021 (source).
How Do I Know If My VPN is Hacked?
Unfortunately, there’s no way for you as the end user to tell if your VPN connection is compromised until the VPN vendor reports an issue publicly.
What Happens If My VPN Connection is Hacked?
You will be identifiable on the internet. In some cases, the compromise of online privacy will result in online businesses gathering more data about you, your behaviors, and preferences. For some, this can be an egregious breach of trust. For others, it’s an annoyance, at best.
If your primary use of a VPN connection is to watch videos only available in other geographic locations, then you may be out of luck. Compromise in that connection and your ability to hide your true address and location may prevent you from consuming content not available in your region.
Where things get dicey for VPN users if the VPN service is compromised is if they broke the law while using the service. The complexities of international law are too deep to highlight here. Suffice it to say: if you live in a country that has warrant or subpoena power over the VPN service you are using, then there is a high risk and probability of those records of your use being divulged.
If your use can be linked with the VPN server and the VPN server being linked with illegal activity, then by extension your use can be linked with illegal activity. You can then be penalized for that activity and people have in the past.
Here are other questions you might have, I’ll briefly answer them below.
Are Paid VPN Services Safer than Free VPN Services?
Yes, but only in the sense that free VPN services are almost certainly selling your information. Otherwise, all other considerations are identical.
A saying that has served me well in the technology world: if you’re getting a product for free, then you’re the product. No VPN service is provided as a public good or benefit and VPN services are expensive to maintain. They have to make money somewhere and selling your data is profitable.
Can NordVPN Be Hacked?
Yes, and it was! That doesn’t mean it’s a bad service–in fact, it’s widely regarded as one of the better ones available.
VPN services can and have been hacked. What does that mean to you, the end user?
If you’re planning on doing something that is questionably or definitely illegal in your jurisdiction but want to use a VPN to hide your activity, then you should be aware of the risks.
If you’re using it to circumvent geolocation restrictions, then you should understand that it may not be totally effective in all situations. As with any tool, use it intelligently and follow safety instructions.
Do you use a VPN service? Which one? Share your preference in the comments.