Our Verdict
VPN services can be hacked, but it’s extremely difficult to do so. Most premium VPNs use OpenVPN or WireGuard protocols in combination with AES or ChaCha encryption – a combination almost impossible to decrypt using brute force attacks. Using a VPN doesn’t prevent you being hacked entirely, but it reduces the risk significantly.
Hackers and cybercriminals are known to take advantage of insecure WiFi networks to steal sensitive data like bank details, login credentials, and credit card information.
When you set up a VPN connection, the VPN creates an encrypted tunnel between your device and a remote VPN server. This hides your IP address from the websites you visit and encrypts your web traffic.
By encrypting your internet connection, a VPN prevents hackers and other third parties from monitoring your web activity and makes it harder to intercept your data transfers.
Summary: How VPNs Can Be Hacked
It’s technically possible to hack a VPN connection using the following methods:
- Through Vulnerabilities in VPN Protocols
- Through Cryptographic Attacks
- Through IP, DNS, or WebRTC Leaks
- By Compromising a VPN Server
- By Stealing Encryption Keys
Why Trust Us?
We’re fully independent and have been reviewing VPNs since 2016. Our advice is based on our own testing results and is unaffected by financial incentives. Learn who we are and how we test VPNs.
Every day, millions of people use VPNs to protect themselves from hackers on public WiFi connections.
By using a VPN, they send their browsing data through a VPN server and into the hands of the company running it. So what happens if the VPN itself is hacked?
EXPERT ADVICE: Reduce the risk of getting hacked by choosing a no-logs VPN with AES-256 encryption, OpenVPN support, and a history of third-party security audits. We recommend ExpressVPN, which you can try risk-free for 30 days.
How Can a VPN Service Be Hacked?
To understand if a VPN can be hacked, you first need to understand exactly how a VPN works.
Here’s a brief summary of what happens when you use a VPN:
- You download VPN software to your device, connect to a VPN server, and request a website.
- The VPN software uses a connection protocol to safely connect your device to the server, and an encryption cipher to encrypt the data traveling to it.
- When your data reaches the VPN server, it is decrypted and the server connects to the website on your behalf.
- The website sends the requested information back to the VPN server, where it is encrypted and forwarded back to your device.
- The VPN client decrypts the information and the website appears in your browser.
To hack your VPN connection, a hacker would have to compromise your data at some point during this process. This might involve attempting to decrypt the data using a brute force attack, capturing data sent outside the VPN tunnel, or compromising the VPN server itself.
Here’s a more detailed list of how a VPN can be hacked:
1. Through Vulnerabilities In VPN Protocols
VPN protocols describe the rules that your VPN uses to create a secure connection between your device and the VPN server. The most common protocols in consumer VPN services include OpenVPN, WireGuard, and IPsec.
Some VPN services let you choose a preferred protocol, while others don’t let you choose at all. Each protocol has its own strengths and weaknesses, and some are much more secure than others.
If there is a vulnerability in the underlying protocol you’re using, your VPN connection can be hacked. This could happen as a result of design flaws if the protocol is newly developed, or simply because the VPN client hasn’t been configured properly.
For example, the PPTP protocol is no longer considered secure due to reports that the NSA cracked a PPTP VPN connection to spy on a target. Despite being outdated, it is still included as an option by some VPN services.
2. Through Cryptographic Attacks
To convert your web traffic into an unintelligible code, VPNs need to use an encryption cipher. This simply refers to the algorithm used to encrypt and decrypt your data. This is used in combination with a hash authentication, which further secures your connection.
The most common ciphers used in VPN services are AES, ChaCha20, and Blowfish – though the latter is fairly rare.
Ciphers are usually paired with a key-length, which describes the number of digits in the encryption key. At its simplest, longer key lengths are usually more secure. For example, AES-256 is considered more secure than AES-128.
A VPN should not use anything less than the AES-128 cipher to encrypt your data.
Due to advancements in computing, older hash functions and encryption ciphers can be broken in a shorter amount of time, making it possible to hack a VPN connection if it uses an outdated cipher.
For example, the SHA-1 hash function is cryptographically broken, and the Blowfish cipher is susceptible to ‘birthday attacks’. These cryptographic functions are still used by some low-quality VPNs.
A VPN should not use anything less than the AES-128 cipher to encrypt your data, though AES-256 is even more secure. ChaCha20 is a secure alternative for WireGuard users that also uses 256 bits, which means it’s equally as secure as AES-256 encryption.
3. Through IP, DNS, or WebRTC leaks
Although it doesn’t technically involve ‘breaking’ your VPN connection, a hacker could compromise your identity or activity by monitoring for data leaking outside the encrypted VPN tunnel. This is known as a ‘VPN leak’.
For example, your real IP address can be exposed if your VPN does not encrypt any IPv6 requests made by your browser, or if it doesn’t re-route WebRTC connections. Similarly, your browsing activity can be exposed if your DNS requests are handled by your ISP rather than the VPN service, or if the VPN kill switch isn’t working.
Our leak test tool checks whether your VPN is properly hiding your real IP address and DNS requests.
Most top-rated VPN services now include leak protection by default, which should keep you safe on most connections. You can also use our dedicated tool to check if your VPN is leaking.
4. By Compromising a VPN Server
If an attacker can’t compromise your VPN connection directly, they may be able to target the VPN service itself.
It’s possible for VPN servers to be misconfigured or set with weak login credentials, which makes them an easy target for hackers. If an attacker gains entry to the server, they can potentially access your personal information, browsing history, and future activity when connected to the server.
For example, one of NordVPN’s servers was breached In March 2018 due to a third-party error. This allowed hackers to see which users were connected to the breached server, as well as the websites they were visiting.
In March 2021, SuperVPN, GeckoVPN, and ChatVPN were also hacked. As a result, the names, email addresses, location, and payment information of 21 million users were made public.
The risk of your VPN server being compromised is significantly reduced if you choose a premium VPN service with a history of third-party security audits. For even more reassurance, use a VPN with RAM-only servers to prevent your data ever being written to the hard drive.
5. By Stealing Encryption Keys
If hackers obtain the encryption keys used to secure your data, they can hack your VPN connection and read all of the incoming and outgoing traffic.
Fortunately, most VPN software encapsulates its encryption keys, and most top-tier VPNs use Perfect Forward Secrecy (PFS) by default.
PFS is a protocol feature which ensures your VPN server and client use unique symmetric keys for every VPN session. Both sides generate the key independently, and the key is never exchanged across the connection. A new key is automatically issued for each session, making the previous key obsolete.
In short, Perfect Forward Secrecy removes the threat of a single encryption key that would expose all of your VPN sessions if compromised. Instead, the temporary keys ensure that a hacker could only ever expose one specific session, and nothing more.
EXPERT ADVICE: If you’re using a VPN headquartered in a Five Eyes jurisdiction, government agencies may access your identity and activity even without hacking your VPN. Some countries can legally force VPN companies to log and share your data, getting the information they need without compromising your connection.
What Happens If Your VPN Is Hacked?
If a VPN is hacked, the hackers may be able to steal personal data, access personal devices, and track your internet activity.
If your VPN connection or the VPN network itself is compromised, you could be vulnerable to the following privacy and security issues:
1. Surveillance
If your encrypted VPN connection is hacked due to leaked security keys or weak encryption ciphers, then it’s possible for the government, your ISP, or any malicious third party to see your browsing activity. In this case, the spying third party would need to have access to the leaked keys or the ability to break the encryption cipher.
Similarly, if a hacker gains permissions to the VPN server you’re connected to and it’s configured to collect activity logs, they could be able to track your past, present, and future activity on that server.
2. Sensitive data leaks
If the database of a VPN service gets hacked, all the information stored on it becomes vulnerable. This may include personally identifying information such as your email, password, real IP address, credit card information, and more.
This information is highly valuable to hackers – they can use it to perform credit card fraud, identity theft or even sell it on the dark web.
Although many VPNs boast a strict “no-logs” policy, some service providers are also legally required to store user activity and connection logs in certain countries.
If the server containing these logs is hacked, then it can disclose your real IP address, your browsing history, how much bandwidth you use, how frequently you connect to VPN, and other information, too.
3. Vulnerability to MitM Attacks & Malware
Hacking a VPN does not directly infect your device with malware, but a compromised connection can make it easier for a hacker to infect your device in other ways.
If you’re browsing on an unsafe public WiFi network using a compromised VPN connection, you’re vulnerable to the same attacks as you would be without a VPN at all.
On an unsecure network, attackers can alter key parts of the network traffic, redirect this traffic, or inject malicious content into an existing data packet. If a hacker intercepts your DNS requests and redirects you to a DNS server under their control, this is known as a Man-in-the-Middle (MitM) attack.
Once you’ve been compromised in this way, it’s easy for a malicious actor to show you fake websites, false login forms, malicious links, and much more – all of which could be used to fool you into revealing your passwords.
What To Do If Your VPN Has Been Hacked
If you’ve used a low-quality VPN that has suffered from a data leak, or you suspect your VPN connection has been compromised, then we recommend you to:
- Stop using the VPN immediately to prevent any further damage.
- Uninstall the VPN from all of your devices, then reboot the devices.
- Uninstall VPN extensions from all browsers and routers, then reboot the devices.
- Change any sensitive information that may have been affected (eg. usernames, passwords, ssh keys).
What Does A VPN Actually Protect You From?
Using a VPN minimizes the risk of getting hacked, but it does not completely eliminate it.
VPNs use encryption to hide the details of your browsing activity as it travels between your device and the VPN server. If an attacker intercepts your connection on an unprotected WiFi network, they should only see strings of unintelligible letters and numbers.
VPNs protect your data by encrypting your traffic.
This can protect you from ISP surveillance, Man-in-the-Middle attacks, network monitoring, and other forms of surveillance. However, VPN software will not protect you from hackers installing malicious software, performing phishing attacks, or attempting other local attacks on your device. In short, you can still get hacked while using a VPN.
Some VPN services provide threat management features like NordVPN’s Threat Protection, which can block access to URLs that are known to be malicious. However, it is still possible to get hacked when using these services.
Here’s a list of situations in which a VPN service will not protect you from hackers:
1. If a Third-Party Website Is Breached
If hackers are able to gain access to the database of a website that you visit frequently, they may be able to read any unencrypted data stored on that server. Any personal information you’ve submitted including your email address, password, contact info, and more could be exposed.
In this case, using a VPN may prevent your true IP address from being revealed, but it will not protect any other identifying information you’ve submitted.
2. If Your Device Is Already Infected
If your device has already been compromised and hackers can access the device remotely, they can use privilege escalation techniques to record your screen, keystrokes, camera, and microphone.
In this case, using a VPN will not restrict the hacker’s access to your computer.
3. If You Download and Install Malicious Software
Installing unknown software from the internet can silently install malware alongside it. Some browser extensions can also compromise your privacy and security. A VPN will not protect you if you download software from an untrustworthy source.
Malicious USB drives, hubs, and cables can also infect your device, regardless of your VPN connection. Using a VPN when these devices are plugged in will not prevent you from getting hacked.
4. If You Click a Malicious Link
VPN services will not protect you from phishing scams and other social engineering attacks. Be cautious about the links you click on and the files you download to your device.
ExpressVPN blocks trackers and malicious websites.
Some VPNs provide threat protection features that can block DNS requests to known malicious URLs. These features can reduce the risk of falling for phishing attacks, but they’re not always effective.
5. If Another Device In Your Local Network Is Infected
If you’re sharing a local network with another compromised device, it’s possible for hackers to employ techniques such as ARP spoofing to try and infect your computer. Depending on the configuration of the network, a VPN may or may not protect you from this form of attack.
How to Choose a VPN to Protect Yourself From Hackers
Using a VPN may not be a catch-all solution for every type of cyberattack, but it can significantly reduce your chances of getting hacked on most unsecured networks.
Not all VPN services are the same, though. If you’re looking to find a VPN for security reasons, you’ll need a service with robust security features that will stand up to any potential attacks.
Here’s a list of the most important security features a safe VPN should have:
- Perfect Forward Security
- WireGuard & OpenVPN Protocols
- AES-256 & ChaCha20 Cipher
- Third-Party Audit
- Bug Bounty
- No Logs Privacy Policy
- RAM-only Servers
- Secure History
- Kill Switch
- Leak Protection
FAQs
Is Banking Safe With a VPN?
If you’re using a trustworthy VPN service, it’s completely safe to use a VPN for online banking. In fact, it’s actually safer to use a VPN if you’re connected to a public WiFi network.
When connecting to a VPN, you are transferring your trust from the owner of your local network to the VPN service.
If you plan to rely on a VPN for sensitive browsing like online banking, it’s important you choose a top VPN service with robust encryption, reliable leak protection, and a proven track record for security.
Can a Hacker Bypass Your VPN?
If your VPN is working properly and uses AES-256 encryption with the OpenVPN protocol, it’s almost impossible for a hacker to decrypt your data. However, it’s possible for an attacker to compromise your connection in another way, such as through a malicious link or by accessing your device in person.
If a hacker is trying to identify you through your VPN connection, they may be able to track you through DNS or WebRTC leaks to determine your real IP address and location. If you’re using a VPN with leak protection, this should not be a problem.
Does Private Browsing Protect You From Hackers?
Incognito mode will not protect you from hackers. Private browsing sessions simply allow users to surf the web in a sandbox environment and delete their browsing history and cookies at the end of the session.
Can Free VPN Services Hack Your Device?
Generally speaking, free VPNs tend to be less private and secure than paid alternatives. It’s extremely rare for any VPN service to hack user devices, but free VPNs present other dangers too:
- They often log your IP address and DNS requests
- They’re more likely to operate with poor security infrastructure
- They often leak your IP address and DNS information
- Some free VPNs use advertising that can be malicious
When connecting to a VPN, you are entrusting your private information and online identity to that VPN company. It is always preferable to use a reputable VPN with a proven track record over a free VPN with limited resources.
Can a VPN Spy On Your Activity?
Regardless of the service you are using, all VPN services have the technical capacity to see your real IP address, the websites you are browsing, how long you are browsing for, and more.
In certain countries, governments can force VPN companies to collect and share this data, and make it illegal for the company to disclose what they’re being compelled to do. Often, free VPN services collect this type of data anyway.
The risk of being surveilled in this way is reduced by using a no-logs VPN that has been verified by independent audits and real-world cases.
