Can VPNs be hacked? Common threats and how to stay safe

Like all software, VPNs (Virtual Private Networks) are frequently targeted by hackers. And while industry leaders have made their protection nearly impossible to crack, some smaller VPN providers have vulnerabilities that lead to millions of user data records being exposed every year.

If you want to avoid being on the list of people who got their data leaked, follow along and learn about VPN vulnerabilities and how to choose a secure VPN provider.

How can a VPN be hacked?

No software is ever completely safe, so in theory, VPNs can also be hacked. Hackers look for weaknesses anywhere within a VPN provider’s infrastructure. And, if they uncover a crack, they’ll surely find a way to squeeze through, possibly resulting in data theft, fraud, identity theft, and a whole lot of other cybercrimes.

Here are a few things that hackers commonly look for when targeting VPNs:

Outdated VPN protocols

VPN protocols are sets of rules that define how data and traffic are routed between your device and the VPN server. Protocols such as OpenVPN, WireGuard, or IKEv2 have no known vulnerabilities and are considered secure. However, others, such as PPTP, SSTP, or L2TP, have plenty of security issues.

While no reputable VPN providers employ these protocols, some free VPNs still utilize PPTP or L2TP, which partly contributes to the large number of data leaks from free VPNs. So, if you have a VPN with one of the outdated protocols, you’re putting your sensitive information at risk.

Weak encryption

VPNs use encryption to turn your data into ciphertext before it leaves your device. Your traffic looks like gibberish code while it travels to the VPN server. So, even if someone intercepts your connection, they wouldn’t be able to read the information being transmitted.

The security of the encryption depends on the cipher used and the length of the encryption key. AES-256 is the industry standard encryption for protocols such as OpenVPN and IKEv2, while ChaCha20 is used for secure encryption with WireGuard. These two encryption algorithms are virtually impossible to crack, so choose a provider that uses them, as most other algorithms can be cracked with modern technology.

Encryption keys

Encryption keys encrypt and decrypt the data that travels from your device to the VPN server. If a hacker gets a hold of them, even a secure encryption cipher becomes breakable. The hard part is actually stealing the keys, which requires immense resources and knowledge.

Some good VPN providers, including Surfshark, have implemented Perfect Forward Secrecy (PFS) to protect users from this threat. PFS changes the encryption keys faster than threat actors can use them to break the cipher, making the encryption nearly impossible to break, even with encryption keys.

Vulnerable servers

Sometimes, hackers target VPN providers directly instead of targeting their users. And VPN servers are one of the most common targets. Top-tier VPN providers have primarily moved to RAM-only servers and undergo regular server infrastructure audits. However, some smaller providers still store user data on hard drives and use questionable security practices.

Hackers target servers with lousy login credentials or weak configuration to gain access to user data. However, the physical seizing of servers isn’t unheard of either, with oppressive governments sometimes trying to take over VPN servers in an attempt to access user activity data. To keep yours safe, make sure to use a VPN with a secure server infrastructure.

What happens if your VPN is hacked?

When a VPN is hacked, bad actors can gain access to your sensitive information and internet traffic or even make you vulnerable to Man-in-the-Middle (MITM) attacks. This can result in identity theft, fraud, stolen accounts, devices infected with malware, and more.

Here are some of the most common things hackers do if they manage to compromise your VPN:

• Data theft — hackers often try to steal your activity data, which can be used for elaborate phishing attacks or sold to advertisers, who use this data to run targeted ads;
• Fraud — when your VPN is hacked, bad actors can access your personal information, including your banking details. This information can then be used for identity theft, taking out loans in your name, or draining your bank account;
• Malware — a hacked VPN won’t directly allow hackers to install malware on your devices. Still, it will definitely make them more vulnerable to MITM and other attacks that can result in hackers taking over your device.

What should you do if your VPN has been hacked?

Finding out that your VPN got hacked is never a pleasant experience. But it’s important to stay calm and take the necessary steps to minimize the damage. Here’s what you should do as soon as you learn about your VPN provider being hacked:

• Uninstall your VPN on all devices and restart them;
• Change the passwords on all your accounts;
• Use an antivirus to run a malware scan;
• Check for fraudulent activity on your bank account;
• Look for any apps or extensions that you didn’t install. If you find any, uninstall them;
• Choose a reputable VPN such as Surfshark and stay safe online.

Secure your online privacy

With industry-leading VPN encryption

Get Surfshark

How a VPN can help you safeguard your data from hackers

While getting hacked even when using a VPN is possible, it’s less likely than connecting to the internet without one — especially if you sign up for trustworthy, reputable VPN services.

Here’s how a reliable VPN can protect your data from hackers:

• Data encryption — using strong encryption ciphers, a VPN encrypts your data and makes it unreadable without the decryption key. This ensures that even if hackers manage to intercept your data, it’s virtually impossible to decipher. This kind of protection is essential, especially on open Wi-Fi networks where hackers can try intercepting unencrypted traffic;
• IP masking — by routing your traffic through a remote VPN server, you assume the server’s IP (Internet Protocol), effectively masking your real IP address. It hides your location and identity and makes it much more challenging for hackers to locate and target your device;
• Ad blockers, malware alerts, and other extra security features — many market-leading VPN services include additional security features to provide their users with broader cyber protection.

For example, Surfshark offers an ad blocker and malware detection tool for browsers to help you avoid malicious websites and invasive, potentially harmful ads. In the Starter plan, Surfshark also includes security-boosting features like Auto-connect, Kill Switch, Rotating IP, and double VPN, and you get even more with the bigger plans — Antivirus, Alert, Search, and Alternative ID.

Understanding the limitations of VPNs

Despite VPNs being great security and privacy tools, they do have certain limitations, mostly related to human psychology and behavior. That’s why VPN use should always be accompanied by other security-improving habits, such as staying vigilant online, keeping software up-to-date, using Two-factor Authentication (2FA), and installing antivirus on your devices.

Let’s look at some of the cyberthreats that VPNs can’t protect you from:

• Malware — a VPN can’t stop you from downloading malicious files or installing infected software onto your devices. Thus, besides being careful and wary about what you download and install, you need an antivirus program that will detect and remove malware;
• Phishing attacks — VPNs can’t protect you from social engineering attacks, like phishing, when hackers trick you into willingly sharing sensitive information. To avoid this, you have to educate yourself on what phishing is, how to spot it, and not fall victim;
• Human error — no VPN is able to prevent human mistakes like configuration errors, falling victim to scammers, sharing private information, and using weak passwords. Regardless of how good your VPN is, poor cyber hygiene puts your accounts and data at risk of breaches.

How to choose a VPN to stay safe from hackers

There is no way to tell for sure that a VPN service will never get hacked in the future. But you can look at certain VPN features and see if it’s taking the required measures to ensure the best security possible for its users.

Secure VPN protocols and encryption

OpenVPN, IKEv2, and WireGuard are some of today’s safest VPN protocols and are usually accompanied by AES-256 and ChaCha20 encryption algorithms. They are the ones you can trust for a secure connection.

Some VPN providers also have proprietary protocols that are considered safe, such as NordVPN’s NordLynx or ExpressVPN’s Lightway. Whatever you choose, make sure your VPN provider isn’t using outdated protocols like PPTP or SSTP.

No activity logs

Look for a VPN that doesn’t keep logs of your activity, ideally one that has its no-logs claim approved by an independent auditor. If there’s no stored data about your activity, there’s not much for malicious actors to steal, even if they do manage to penetrate the VPN provider’s defenses.

RAM-only servers

Since hackers can target VPN servers directly, ensuring their security is essential. RAM-only servers don’t have hard drives, which means they don’t have the capacity to hold any data. Whenever the server shuts down or restarts, all data is wiped clean, preventing hackers from accessing any stored information.

Kill switch

A kill switch is a feature that shuts down your internet if your VPN connection drops. While it doesn’t directly protect your VPN from being hacked, it prevents data leaks if there’s an issue with the VPN itself. So, make sure to choose a VPN that offers this feature for that extra bit of security in case things go wrong.

Audits

If a VPN takes its security seriously, it will undergo independent audits by reputable auditing firms. This allows providers to filter out and eliminate possible threats before anyone takes advantage of them. Audit reports are usually publicly available, so you can see you’re choosing a genuinely secure VPN service.

Stay safe by choosing a reliable VPN service

In theory, all VPN providers can be hacked. However, practice shows that this rarely happens to paid VPN providers, and most security issues are caused by free VPNs that simply don’t have the budget to maintain a secure infrastructure.

With Surfshark VPN, you get the safest, industry-standard features and more at a pocket-friendly price. And, if you want that extra protection from hackers, you can get a whole cybersecurity bundle that includes antivirus, among other security tools, for a small additional fee.

A reliable VPN at an affordable price

No need to break the bank to stay safe online

Get Surfshark