Over 2 million VPN passwords have been stolen – here's what you can do about it
Proton VPN, ExpressVPN, and NordVPN are the biggest targets
You probably know by now that using one of the best VPN apps makes your online life more private and secure. But what if your VPN logins get compromised?
New research from password management and authentication solution provider Specops Software found that over two million VPN passwords have been malware-stolen during the past year. Worse still, three of TechRadar's most secure VPN providers were among the most affected services.
While these worrying findings aren't related to the security offered by the VPN services, I reached out to the affected providers to understand what's at stake and how to better secure your VPN account.
The danger of compromised VPN passwords
A VPN (virtual private network) is a security software that encrypts your internet connections to ensure third parties cannot access your data in transit. At the same time, it also spoofs your real IP address location to keep you more private online.
Consumers and organizations are increasingly using VPNs to boost their privacy when browsing the web. For organizations, it's more important than ever for employees to connect to a reliable business VPN as remote work gets more widespread.
Yet, "if VPN passwords are becoming compromised, these great cybersecurity benefits can be undone and actually offer a route into your organization for attackers," said Darren James, Senior Product Manager at Specops Software.
The research team analyzed VPN compromised credentials between August 20, 2023, and August 20, 2024, and found that 2,151,523 users' passwords had been stolen by malware during the period.
Among these, over a million (1,306,229 to be more precise) came from users of one of the best free VPN services on the market, Proton VPN. ExpressVPN and NordVPN follow suit as the most stolen credentials with 94,772 and 89,289 respectively.
The most common password to be compromised was 123456, which was found to be leaked 5,290 times. Despite this, the findings suggest that users had mostly used unique or strong passwords. "But this hasn’t stopped them from becoming compromised," noted researchers.
Users may have been tricked into giving away their secret login details on fake websites impersonating the VPN provider. Cybercriminals are used to taking advantage of reliable brands to carry out phishing attacks. Keylogger malware could also be used to capture keystrokes, including VPN passwords.
A NordVPN spokesperson also suggests that cybercriminals may have used so-called credential stuffing attacks to compromise VPN passwords. This type of attack takes advantage of the people's tendency to reuse the same password across different accounts, by trying to match previously leaked credentials with other services.
"Credential stuffing is a problem not only for us but for almost every other digital service and website," explained NordVPN.
Similarly, Lauren Hendry Parsons from ExpressVPN highlights how the leak didn’t occur through the compromise of any VPN provider, but in a range of ways such as brute force attacks and sophisticated phishing.
"Given that ExpressVPN is a leading VPN provider with 4 million active users around the world, it stands to reason that a substantial number of ExpressVPN credentials are included in this report," she told me. "Importantly, we cannot know how many of the identified credentials are active versus expired."
How to secure your VPN passwords
The biggest takeaway here is just using security software like a reliable VPN app isn't enough to keep you safe online. You must be careful of the links you click and practice good cyber hygiene at all times, too.
On this point, Parsons from ExpressVPN said: "This research is a tangible reminder of the dangers of phishing and malware, and we encourage everyone to practice good password hygiene."
She suggests using strong and unique passwords at all times. I recommend trying out a password manager tool to help you with this. If you're already a NordVPN, ExpressVPN, or Proton VPN user, good news! All these providers include such a tool with its VPN service.
As a rule of thumb, NordVPN suggests creating long and complex passwords that include a mix of letters, numbers, and special characters to make them harder to guess.
Stronger and safer passwords are not rocket science. You only need a password manager. 😉 pic.twitter.com/ZclvnonwIfAugust 12, 2024
Another important step to keep your VPN account safe is to enable two-factor authentication (2FA) or multi-factor authentication (MFA). This practice easily boost up your account security by requiring additional verification beyond just a password.
Using a reputable antivirus software is also an important step as it helps you to keep your device malware free. While not being a full antivirus, NordVPN Threat Protection Pro can considerably mitigate these type of threats.
You should also keep monitoring your accounts for suspicious activities, while staying informed about data breaches as they occurred. To do this you might want to consider using data breach alert services.
Parsons from ExpressVPN also said: "Beyond that, we’d recommend everyone educate themselves on the phishing practices and protect themselves by never clicking on suspicious links, or downloading attachments from unknown sources."
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com