LimeVPN has confirmed a data incident, while its website has been taken offline.
According to researchers, the VPN provider known as LimeVPN was hacked, affecting 69,400 user records.
A hacker claimed to have stolen the company's entire customer database before taking its website down (which, at press time, was down). According to PrivacySharks, the stolen records included usernames, plain-text passwords, IP addresses and billing information. The attack also included the public and private keys of LimeVPN users, the researchers added.
"The hackers told us that they have each user's private key, which is a serious security concern because it means they can easily decrypt the traffic of each LimeVPN user," the company said in a post.
Experts say the possibility of decryption is worrisome because the VPN transmits all users' Internet traffic, a potential goldmine of information for cyber attackers.
The entire site's data has been sold on hacking forum RaidForums, where hackers with the username "slashx" initially said the database contained 10,000 records for $400 (Tuesday) and then expanded the tally (Wednesday). conducted through a security breach and had no connection to insider threats to its company or older hacks.
Then, on Thursday, the site went offline - apparently infected with malware. "The concern is that our access was blocked by Malwarebytes [antivirus protection] due to a potential Trojan horse found on the site," PrivacySharks said.
LimeVPN confirms to researchers that it was attacked
PrivacySharks said LimeVPN confirmed that a data incident occurred and that the hackers who stole the database also claimed responsibility for the site's shutdown. RestorePrivacy, the company that separately confirmed the breach, noted that LimeVPN told it "our backup servers had been hacked" and that it "reset our access credentials and started a system audit.
Sample Review of Stolen Data
In analyzing the available sample data provided by slashx, RestorePrivacy researchers noted that the transaction details of users who purchased the service were available (such as dollar amounts and payment methods), but did not include actual payment card data or bank details.
The company noted, "This is because VPNs use a third-party payment processing system called WHMCS, and hackers claim to have gained access to the entire WHMCS database."
The two companies found that some of the transactions in the sample were dated as of this week and included the full names of current subscribers. Cliff Durward, head of security at PrivacySharks, told Threatpost, "While LimeVPN is not a large provider like Surfshark or NordVPN, the fact that entire databases were stolen raises security concerns among VPN providers." "While most VPN companies, such as LimeVPN, have a no-logging policy, identifiable data such as email addresses and payment information can still be stolen and sold in the event of a security breach."
No logs?
Like many other providers, LimeVPN touts a no-logging service, meaning it doesn't track users or retain their personal data. But researchers say the existence of allegedly stolen records and databases calls that offer into question.
"Based on the data we provided, it's not entirely clear to us whether LimeVPN is collecting logs of user usage or connections," RestorePrivacy said. "And we're not willing to pay $400 in bitcoin to see all the data. Nonetheless, this incident seems to have dealt a major blow to the reputation of the VPN service."
PrivacySharks had a similar take: "LimeVPN's no-logging policy will also be questioned, as this massive data breach could lead some users to question how much of their data the company is actually storing. Without an independent review of the provider's privacy policy, the term 'no logs' doesn't mean much, and the current situation will raise a lot of suspicion among customers."
What LimeVPN users should do
As with the recent LinkedIn data breach, the information contained in the collection could allegedly be used to carry out a variety of social engineering attacks, including increased phishing campaigns, among others.
PrivacySharks notes, "Hackers can use the information to build a personal profile, making it easier to find more details that could lead to identity theft, fraud or scams." "That's why it's important to be vigilant when using your personal details to create an online account."
PrivacySharks recommends that users change their passwords and freeze/replace their credit cards, and it's also a good idea to change passwords and activate two-factor authentication on other accounts that may use the same credentials.