A virtual private network is one of the easiest ways users can protect their online activity. Through what’s called a tunneling protocol, VPNs encrypt a user’s online traffic and make their data unreadable to prying eyes.
SEE: How Much Does a VPN Cost? (TechRepublic)
This additional layer of security has become a go-to option for both businesses and consumers alike to protect their privacy. According to Statista, over 24% of all internet users in 2023 used a VPN to secure their internet connection.
With this popularity, one can be forgiven to ask: Are VPNs invincible against hackers? Are they susceptible to being hacked? Can VPNs be used to steal user data instead of protecting it?
We’ll answer these questions and more below.
Featured Partners: Cybersecurity Software
Can VPNs really be hacked?
Like any software, all VPNs are technically capable of being hacked. No software is 100% perfect, and VPNs, like any internet-based software, can fall victim to different attacks. That being said, a quality VPN will be incredibly hard to crack — especially if it has a secure server infrastructure and application.
VPNs work by generating a private connection where your internet activity is encrypted and made unreadable. Your internet data is routed to a VPN server, which masks your IP address and provides you with an additional layer of anonymity online.
This encryption hides sensitive user data such as your IP address, device location, browsing history, and online searches from your internet service provider, government entities, and cybercriminals.
While VPNs have varying types and sizes, this is how most VPNs fundamentally work. If you’re interested in a more in-depth explanation of VPNs, we encourage you to check out our explainer on VPN software. Here we looked into the different types of VPNs, VPN benefits and drawbacks, and a few popular VPN providers we recommend.
By encrypting user data and passing it through a secure tunnel, VPNs serve as an easy way to add protection to your online activity. However, this doesn’t make them invincible.
There are a few points of weakness in which VPNs can be exploited or attacked by hackers. Let’s go through a few of them:
How VPNs can be hacked
Breaking through VPN encryption
One way VPNs can be hacked is by breaking through the encryption. Hackers can make use of cryptographic attacks to break poorly implemented encryption ciphers. However, it’s important to mention that breaking encryption takes a considerable amount of effort, time, and resources to do so.
Most modern VPNs use what’s called the Advanced Encryption Standard or AES-256 encryption algorithm. This encryption standard uses 256-bit key length to encrypt and decrypt data and is widely recognized as the gold standard of encryption.
This is because AES-256 is virtually unbreakable — requiring millions to billions of years to brute force and crack, even with today’s technology. That’s why many governments and banks use AES-256 encryption to secure their data.
In any case, most modern VPN providers use AES-256 encryption for their VPN, so there’s not much to worry about here.
VPNs using dated tunneling protocols
Another way hackers can hack VPNs is by exploiting dated VPN tunneling protocols. Tunneling protocols are essentially a set of rules for how your data will be handled and sent across a particular network.
What we want to avoid here is using dated protocols such as PPTP and L2TP/IPSec. These protocols are older and considered to have medium to low security by today’s standards.
In particular, PPTP is based on older technology and is known to have vulnerabilities that can be exploited by bad actors. L2TP/IPSec, on the other hand, has better security but also provides slower performance than newer protocols available.
Fortunately, more modern VPN protocols like OpenVPN, WireGuard, and IKEv2 provide a good mix of both high-end security and speed.
Through DNS, IP or WebRTC leaks
Malicious actors can also steal user data through VPN leaks. VPN leaks refer to user data being “leaked” out of the secure VPN tunnel due to some flaw or vulnerability within the app. The main types of VPN leaks involve the following:
- DNS leaks are when the VPN exposes your internet activity, such as DNS queries or browsing history, to the ISP DNS server despite being on an encrypted VPN connection.
- IP leaks happen when your IP address is inadvertently revealed or exposed to the internet, defeating the main purpose of a VPN in masking your real IP address and location.
- WebRTC leaks involve a leak with browser technology wherein websites get unauthorized access to your actual IP address by bypassing the encrypted VPN tunnel.
VPNs themselves logging user data
Finally, hacking can also occur when VPN providers themselves take hold of user data without their consent.
While many VPN providers claim to have no-logs policies, stating they don’t record user data, there have been times when VPNs were found to have stored user information regardless of such policies.
Real-world examples of VPN hacks
Here are some concrete examples of VPNs being hacked or compromised by malicious third-parties.
Ivanti VPN zero-day exploits in early 2024
In January 2024, five new zero-day vulnerabilities were discovered in Ivanti Secure VPN. The vulnerabilities allowed an unauthenticated attacker to execute remote code and compromise systems, possibly affecting almost 30,000 Ivanti Secure VPN appliances connected to the internet.
Ivanti Secure VPN is a popular, remote-access VPN used by organizations around the world. Since the discovery of these zero-day vulnerabilities, Ivanti has released patches to address some of the vulnerabilities.
But if you were interested in Ivanti and want an alternative solution, or if you were a former Ivanti user yourself, we’ve rounded up a list of the top four Ivanti competitors and alternatives.
SEE: How to Tell If Your VPN Is Working (TechRepublic)
NordVPN breach in 2018
In 2019, NordVPN announced that one of its third-party servers was breached in 2018. In particular, a single NordVPN server in Finland was attacked. According to NordVPN, this was due to a third-party data center’s poor configuration of the server that they weren’t notified about.
NordVPN says no other servers or user credentials were affected in the incident. Following the breach, the VPN provider said they had taken all necessary measures to enhance their security and had undergone audits to confirm these efforts.
Since the incident, NordVPN has been widely regarded as one of the safest VPNs available today. You can read our full NordVPN review here.
Pulse Connect Secure VPN U.S. agency hack
In 2021, the Cybersecurity and Infrastructure Security Agency stated that a number of U.S. government agencies were compromised due to vulnerabilities found in the Pulse Connect Secure VPN solution. Now known as Ivanti Secure Access, Pulse Connect VPN is a software service used by various organizations in both the private and public sector as a remote access tool.
Per news reports, around five U.S. federal agencies were likely to have been breached or compromised as a result of the vulnerabilities found in Pulse Connect. This was found after the at-risk agencies were told to run an integrity tool, confirming malicious activity in their Pulse Connect appliances.
According to CISA, the threat actor leveraged multiple vulnerabilities in certain Pulse Connect Secure products and used its unauthorized entry to place webshells for “further access and persistence.” Fortunately, multiple updates have been deployed by Ivanti to address the aforementioned vulnerabilities.
VPNs with no-logs policies caught logging data
There have also been a handful of instances where VPNs with no-logs policies were seemingly caught or suspected of logging user data.
- IPVanish VPN in 2016: IPVanish allegedly handed user data logs to the United States Department of Homeland Security to track down a child pornography suspect. This was in spite of an initial no-logs claim, eventually confirming they did in fact provide logs to government authorities.
- Hotspot Shield VPN in 2017: The Center for Democracy and Technology accused Hotspot Shield of logging user data and selling it to third-parties via its free VPN application.
- Norton Secure VPN: Despite having a no-logs policy, Norton’s Global Privacy Statement states that it stores user data such as device names, IP addresses, and URLs — info that we primarily don’t want a VPN to ever have access to.
If you’re interested in a rundown of the best no-logs VPNs, we’ve got you covered. Check out our best no-logs VPN roundup here.
Measures to enhance VPN security
Given these points of weakness, there are several key things you can do to improve your security and VPN experience.
Invest in a paid VPN over a free one
While free VPNs can be convenient for the one-off time you need to change your IP address, they’re not the most secure solution out there. VPNs take money to operate and run. With this, some free VPNs are known to sell user data to third-parties. This may be to serve these users with personalized ads or for other purposes.
What’s clear, though, is that a paid VPN subscription is going to offer a far more secure overall experience. With premium VPNs, you get the full server network, better customer support and stronger security.
Check for no-logs policies with independent audits
You should also check for VPNs that offer both a no-logs policy and independent audits. While promises of no-logs are important, we can only leave it up to trust if providers actually abide by their words or not.
A good way to combat this is to look for VPNs that have been independently audited. These are providers that have had third-party firms look into their software, audit them, and share whether their services pass security standards or not.
I highly recommend looking at VPNs that offer both no-logs policies and third-party security audits.
Use modern security protocols
Another useful measure is to use modern VPN protocols instead of older ones. In particular, I recommend using OpenVPN, WireGuard, or IKEv2 protocols as your main tunneling protocols of choice.
While these protocols are different, they all provide high-end security and VPN speed that won’t affect your regular browsing. There are also proprietary protocols from VPN providers themselves, such as ExpressVPN’s Lightway or NordVPN’s NordLynx. These are also viable options that provide good security and performance.
SEE: Why Your Business Needs Cybersecurity Awareness Training (TechRepublic Premium)
Utilize built-in VPN kill switches
VPNs come with a number of included security features that further enhance your security. One of these is a VPN kill switch.
Kill switches automatically block any connection between your machine and the internet that’s not routed via an encrypted VPN tunnel. This means that if your VPN connection drops, the kill switch will immediately prevent any of your sensitive data from being leaked.
Many modern VPNs include a kill switch turned on out of the box, but it’s a good idea to double-check your VPN settings to be sure.
Why you should still invest in a VPN
Even after learning the different ways VPNs can be compromised, using a VPN is still far more secure than not using one. VPNs allow you and your business to hide your IP address at the click of a button.
Hiding your IP address is important, as this can be used by malicious actors to serve you intrusive ads, gain data about your location, and gather data about your personal identity. VPNs are some of the easiest and most accessible ways to do this.
SEE: Is a VPN Worth It? (TechRepublic)
For larger organizations, VPNs are also a great way to ensure company data is kept secure — especially if your business consists of remote workers who access company resources over the internet.
VPNs also let you access region-locked content by using a VPN server from a different location. This can be incredibly useful, especially for businesses that need access to various types of content in other parts of the world.