Can a VPN Be Hacked?
A
virtual
private
network
is
one
of
the
easiest
ways
users
can
protect
their
online
activity.
Through
what’s
called
a
tunneling
protocol,
VPNs
encrypt
a
user’s
online
traffic
and
make
their
data
unreadable
to
prying
eyes.
SEE:
Brute
Force
and
Dictionary
Attacks:
A
Guide
for
IT
Leaders
(TechRepublic
Premium)
This
additional
layer
of
security
has
become
a
go-to
option
for
both
businesses
and
consumers
alike
to
protect
their
privacy.
According
to
Statista,
over
24%
of
all
internet
users
in
2023
used
a
VPN
to
secure
their
internet
connection.
With
this
popularity,
one
can
be
forgiven
to
ask:
Are
VPNs
invincible
against
hackers?
Are
they
susceptible
to
being
hacked?
Can
VPNs
be
used
to
steal
user
data
instead
of
protecting
it?
We’ll
answer
these
questions
and
more
below.
Can
VPNs
really
be
hacked?
Like
any
software,
all
VPNs
are
technically
capable
of
being
hacked.
No
software
is
100%
perfect,
and
VPNs,
like
any
internet-based
software,
can
fall
victim
to
different
attacks.
That
being
said,
a
quality
VPN
will
be
incredibly
hard
to
crack
—
especially
if
it
has
a
secure
server
infrastructure
and
application.
SEE:
4
Different
Types
of
VPNs
&
When
to
Use
Them
(TechRepublic)
VPNs
work
by
generating
a
private
connection
where
your
internet
activity
is
encrypted
and
made
unreadable.
Your
internet
data
is
routed
to
a
VPN
server,
which
masks
your
IP
address
and
provides
you
an
additional
layer
of
anonymity
online.
This
encryption
hides
sensitive
user
data
such
as
your
IP
address,
device
location,
browsing
history
and
online
searches
from
your
internet
service
provider,
government
entities
and
cybercriminals.
While
VPNs
have
varying
types
and
sizes,
this
is
how
most
VPNs
fundamentally
work.
If
you’re
interested
in
a
more
in-depth
explanation
of
VPNs,
we
encourage
you
to
check
out
our
explainer
on
VPN
software.
Here
we
looked
into
the
different
types
of
VPNs,
VPN
benefits
and
drawbacks,
and
a
few
popular
VPN
providers
we
recommend.
By
encrypting
user
data
and
passing
it
through
a
secure
tunnel,
VPNs
serve
as
an
easy
way
to
add
protection
to
your
online
activity.
However,
this
doesn’t
make
them
invincible.
There
are
a
few
points
of
weakness
in
which
VPNs
can
be
exploited
or
attacked
by
hackers.
Let’s
go
through
a
few
of
them:
How
VPNs
can
be
hacked
Breaking
through
VPN
encryption
One
way
VPNs
can
be
hacked
is
by
breaking
through
the
encryption.
Hackers
can
make
use
of
cryptographic
attacks
to
break
poorly
implemented
encryption
ciphers.
However,
it’s
important
to
mention
that
breaking
encryption
takes
a
considerable
amount
of
effort,
time
and
resources
to
do
so.
SEE:
Free
VPN
vs
Paid
VPN:
Which
One
Is
Right
for
You?
(TechRepublic)
Most
modern
VPNs
use
what’s
called
the
Advanced
Encryption
Standard
or
AES-256
encryption
algorithm.
This
encryption
standard
uses
256-bit
key
length
to
encrypt
and
decrypt
data
and
is
widely
recognized
as
the
gold
standard
of
encryption.
This
is
because
AES-256
is
virtually
unbreakable
—
requiring
millions
to
billions
of
years
to
brute
force
and
crack,
even
with
today’s
technology.
That’s
why
many
governments
and
banks
use
AES-256
encryption
to
secure
their
data.
In
any
case,
most
modern
VPN
providers
use
AES-256
encryption
for
their
VPN,
so
there’s
not
much
to
worry
about
here.
VPNs
using
dated
tunneling
protocols
Another
way
hackers
can
hack
VPNs
is
by
exploiting
dated
VPN
tunneling
protocols.
Tunneling
protocols
are
essentially
a
set
of
rules
for
how
your
data
will
be
handled
and
sent
across
a
particular
network.
What
we
want
to
avoid
here
is
using
dated
protocols
such
as
PPTP
and
L2TP/IPSec.
These
protocols
are
older
and
considered
to
have
medium
to
low
security
by
today’s
standards.
SEE:
Are
Password
Managers
Safe
to
Use?
(TechRepublic)
In
particular,
PPTP
is
based
on
older
technology
and
is
known
to
have
vulnerabilities
that
can
be
exploited
by
bad
actors.
L2TP/IPSec,
on
the
other
hand,
has
better
security
but
also
provides
slower
performance
than
newer
protocols
available.
Fortunately,
more
modern
VPN
protocols
like
OpenVPN,
WireGuard
and
IKEv2
provide
a
good
mix
of
both
high-end
security
and
speed.
Through
DNS,
IP
or
WebRTC
leaks
Malicious
actors
can
also
steal
user
data
through
VPN
leaks.
VPN
leaks
refer
to
user
data
being
“leaked”
out
of
the
secure
VPN
tunnel
due
to
some
flaw
or
vulnerability
within
the
app.
The
main
types
of
VPN
leaks
involve
the
following:
-
DNS
leaks
are
when
the
VPN
exposes
your
internet
activity,
such
as
DNS
queries
or
browsing
history,
to
the
ISP
DNS
server
despite
being
on
an
encrypted
VPN
connection. -
IP
leaks
happen
when
your
IP
address
is
inadvertently
revealed
or
exposed
to
the
internet,
defeating
the
main
purpose
of
a
VPN
in
masking
your
real
IP
address
and
location. -
WebRTC
leaks
involve
a
leak
with
browser
technology
wherein
websites
get
unauthorized
access
to
your
actual
IP
address
by
bypassing
the
encrypted
VPN
tunnel.
VPNs
themselves
logging
user
data
Finally,
hacking
can
also
occur
when
VPN
providers
themselves
take
hold
of
user
data
without
their
consent.
While
many
VPN
providers
claim
to
have
no-logs
policies,
stating
they
don’t
record
user
data,
there
have
been
times
when
VPNs
were
found
to
have
stored
user
information
regardless
of
such
policies.
Real-world
examples
of
VPN
hacks
Here
are
some
concrete
examples
of
VPNs
being
hacked
or
compromised
by
malicious
third-parties.
Ivanti
VPN
zero-day
exploits
in
early
2024
In
January
2024,
five
new
zero-day
vulnerabilities
were
discovered
in
Ivanti
Secure
VPN.
The
vulnerabilities
allowed
an
unauthenticated
attacker
to
execute
remote
code
and
compromise
systems,
possibly
affecting
almost
30,000
Ivanti
Secure
VPN
appliances
connected
to
the
internet.
Ivanti
Secure
VPN
is
a
popular,
remote-access
VPN
used
by
organizations
around
the
world.
Since
the
discovery
of
these
zero-day
vulnerabilities,
Ivanti
has
released
patches
to
address
some
of
the
vulnerabilities.
But
if
you
were
interested
in
Ivanti
and
want
an
alternative
solution,
or
if
you
were
a
former
Ivanti
user
yourself,
we’ve
rounded
up
a
list
of
the
top
four
Ivanti
competitors
and
alternatives.
NordVPN
breach
in
2018
In
2019,
NordVPN
announced
that
one
of
its
third-party
servers
was
breached
in
2018.
In
particular,
a
single
NordVPN
server
in
Finland
was
attacked.
According
to
NordVPN,
this
was
due
to
a
third-party
data
center’s
poor
configuration
of
the
server
that
they
weren’t
notified
about.
NordVPN
says
no
other
servers
or
user
credentials
were
affected
in
the
incident.
Following
the
breach,
the
VPN
provider
said
they
had
taken
all
necessary
measures
to
enhance
their
security
and
had
undergone
audits
to
confirm
these
efforts.
Since
the
incident,
NordVPN
has
been
widely
regarded
as
one
of
the
safest
VPNs
available
today.
You
can
read
our
full
NordVPN
review
here.
VPNs
with
no-logs
policies
caught
logging
data
There
have
also
been
a
handful
of
instances
where
VPNs
with
no-logs
policies
were
seemingly
caught
or
suspected
of
logging
user
data.
-
IPVanish
VPN
in
2016:
IPVanish
allegedly
handed
user
data
logs
to
the
United
States
Department
of
Homeland
Security
to
track
down
a
child
pornography
suspect.
This
was
in
spite
of
an
initial
no-logs
claim,
eventually
confirming
they
did
in
fact
provide
logs
to
government
authorities. -
Hotspot
Shield
VPN
in
2017:
The
Center
for
Democracy
and
Technology
accused
Hotspot
Shield
of
logging
user
data
and
selling
it
to
third-parties
via
its
free
VPN
application. -
Norton
Secure
VPN:
Despite
having
a
no-logs
policy,
Norton’s
Global
Privacy
Statement
states
that
it
stores
user
data
such
as
device
names,
IP
addresses
and
URLs
—
info
that
we
primarily
don’t
want
a
VPN
to
ever
have
access
to.
If
you’re
interested
in
a
rundown
of
the
best
no-logs
VPNs,
we’ve
got
you
covered.
Check
out
our
best
no-logs
VPN
roundup
here.
Measures
to
enhance
VPN
security
Given
these
points
of
weakness,
there
are
several
key
things
you
can
do
to
improve
your
security
and
VPN
experience.
Invest
in
a
paid
VPN
over
a
free
one
While
free
VPNs
can
be
convenient
for
the
one-off
time
you
need
to
change
your
IP
address,
they’re
not
the
most
secure
solution
out
there.
VPNs
take
money
to
operate
and
run.
With
this,
some
free
VPNs
are
known
to
sell
user
data
to
third-parties.
This
may
be
to
serve
these
users
with
personalized
ads
or
for
other
purposes.
What’s
clear,
though,
is
that
a
paid
VPN
subscription
is
going
to
offer
a
far
more
secure
overall
experience.
With
premium
VPNs,
you
get
the
full
server
network,
better
customer
support
and
stronger
security.
Check
for
no-logs
policies
with
independent
audits
You
should
also
check
for
VPNs
that
offer
both
a
no-logs
policy
and
independent
audits.
While
promises
of
no-logs
are
important,
we
can
only
leave
it
up
to
trust
if
providers
actually
abide
by
their
words
or
not.
A
good
way
to
combat
this
is
to
look
for
VPNs
that
have
been
independently
audited.
These
are
providers
that
have
had
third-party
firms
look
into
their
software,
audit
them
and
share
whether
their
services
pass
security
standards
or
not.
I
highly
recommend
looking
at
VPNs
that
offer
both
no-logs
policies
and
third-party
security
audits.
Use
modern
security
protocols
Another
useful
measure
is
to
use
modern
VPN
protocols
instead
of
older
ones.
In
particular,
I
recommend
using
OpenVPN,
WireGuard
or
IKEv2
protocols
as
your
main
tunneling
protocols
of
choice.
While
these
protocols
are
different,
they
all
provide
high-end
security
and
VPN
speed
that
won’t
affect
your
regular
browsing.
There
are
also
proprietary
protocols
from
VPN
providers
themselves,
such
as
ExpressVPN’s
Lightway
or
NordVPN’s
NordLynx.
These
are
also
viable
options
that
provide
good
security
and
performance.
Utilize
built-in
VPN
kill
switches
VPNs
come
with
a
number
of
included
security
features
that
further
enhance
your
security.
One
of
these
is
a
VPN
kill
switch.
Kill
switches
automatically
block
any
connection
between
your
machine
and
the
internet
that’s
not
routed
via
an
encrypted
VPN
tunnel.
This
means
that
if
your
VPN
connection
drops,
the
kill
switch
will
immediately
prevent
any
of
your
sensitive
data
from
being
leaked.
Many
modern
VPNs
include
a
kill
switch
turned
on
out
of
the
box,
but
it’s
a
good
idea
to
double-check
your
VPN
settings
to
be
sure.
Why
you
should
still
invest
in
a
VPN
Even
after
learning
the
different
ways
VPNs
can
be
compromised,
using
a
VPN
is
still
far
more
secure
than
not
using
one.
VPNs
allow
you
and
your
business
to
hide
your
IP
address
at
a
click
of
a
button.
Hiding
your
IP
address
is
important,
as
this
can
be
used
by
malicious
actors
to
serve
you
intrusive
ads,
gain
data
about
your
location
and
gather
data
about
your
personal
identity.
VPNs
are
some
of
the
easiest
and
most
accessible
ways
to
do
this.
For
larger
organizations,
VPNs
are
also
a
great
way
to
ensure
company
data
is
kept
secure
—
especially
if
your
business
consists
of
remote
workers
who
access
company
resources
over
the
internet.
VPNs
also
let
you
access
region-locked
content
by
using
a
VPN
server
from
a
different
location.
This
can
be
incredibly
useful,
especially
for
businesses
that
need
access
to
various
types
of
content
in
other
parts
of
the
world.