More Than 2 Million VPN Passwords Have Been Stolen

Over two million VPN passwords have been stolen by malware over the past year. This is according to new research from password management and authentication solution provider Specops Software, which analyzed VPN compromised credentials between August 20, 2023, and August 20, 2024.

The most commonly compromised VPN service providers were the well-known and reputable ones.

The research found that over two million VPN passwords had been compromised, with the most passwords coming from popular consumer services.

Proton VPN had the most stolen passwords, followed by ExpressVPN and NordVPN. However, it’s not the VPN providers themselves that were breached. Rather, cybercriminals used a variety of tactics, including malware, to steal VPN credentials from end users.

“While VPNs significantly enhance security by encrypting data and providing a secure connection to the internet, they are not without their vulnerabilities, especially concerning password security,” Specops Software senior product manager Darren James told TechRadar Pro.

“If VPN servers are configured to allow unlimited login attempts, they can be vulnerable to brute force attacks, where attackers use automated tools to try a vast number of password combinations to gain unauthorized access.”

The top three targeted VPN service providers (ProtonVPN, ExpressVPN, and NordVPN) are three of the most popular and secure VPNs on the market. Despite the well-documented security of the VPN product itself, over a million ProtonVPN end users have had their credentials compromised by malware.

“It’s a lot easier for cybercriminals to target the end users’ login credentials than try to hack the VPNs themselves,” James said. “Users might be tricked into entering their VPN credentials on fraudulent websites. Phishing attacks can be sophisticated, mimicking legitimate VPN login pages to steal usernames and passwords. Malware such as keyloggers can capture keystrokes, including VPN passwords, if they are installed on a user’s device. This can happen if the device is already compromised before connecting to the VPN or if the VPN fails to include or enforce the use of anti-malware tools.”

Password reuse is a serious risk too. End users often reuse passwords across multiple services. If a password is compromised on one service, all other accounts using the same password, potentially including VPN accounts, are at risk.

The most common password word being found only 5,290 times (or the often very common “password” only 554 times) in this data set of over two million times seems quite low. This could suggest that end users may have generally been using unique, or even strong passwords for their VPN credentials.

But this hasn’t stopped them from becoming compromised.

“Users may have been tricked into giving away their secret login details on fake websites impersonating the VPN provider,” the Specops Software report states. “Cybercriminals are used to taking advantage of reliable brands to carry out phishing attacks. Keylogger malware could also be used to capture keystrokes, including VPN passwords.”

The best way to keep your VPN account safe is to use a unique and complex password.