A hacker just took down LimeVPN’s website, stole over 69,400 sensitive user logs, and is looking to sell them for a $400 Bitcoin payment on a hacker forum. While breaches like this are increasingly commonplace, the real news is how the hacker got the logs since LimeVPN says it is a no-log service.
LimeVPN confirmed that its backup server is what got hacked. PrivacySharks, who initially reported the breach, talked with the alleged hacker who then confirmed that they were able to gain access to the site and shut it down through a security hole.
That backup server contained a database filled with sensitive user account data like email addresses, passwords, and payment information from its WHMCS billing system. The hacker also claims to be in possession of every user’s private key, meaning they are potentially able to decrypt any traffic passing through the VPN service. And now, that hacker is attempting to sell this information to the highest bidder on a renowned hacker forum. They are asking for $400 Bitcoin, which is roughly $13.4 million.
After touting on its website that it didn’t keep logs, LimeVPN is certainly under suspicion now since the hacker was able to jump in and scrape its entire database. Its customers were under the impression that none of their information or activity would be stored on the company’s server and are now the ones having to pay for LimeVPN doing so anyway.
Unfortunately, there isn’t much LimeVPN users can do at this point to stop the breach. However, just to be safe, we recommend users of the service stop using it immediately, take action to protect payment information (like order a new credit card), change the passwords of any sites visited while using the VPN, and watch out for potential identity theft.
The breach serves as a reminder that the vast majority of VPNs are not trustworthy. Most lure customers in with cheap prices and hollow promises of security and privacy without actually being able to back them up. If you’re looking for a (new) VPN service we recommend taking a look at our best VPN services, especially our best overall pick, ExpressPVN. This service regularly undergoes independent security audits to back up its no-log policy.