In an industry that sells a privacy service in the form of "empty tunnels," many users might not think it is crucial to use a secure password. After all, if the VPN service doesn't contain personal information, why bother securing it with a complex password? However, this line of thinking is problematic. Malicious actors are actively brute-forcing various VPN provider APIs to build extensive lists of VPN logins from top providers and distributing them freely on platforms like Telegram, Facebook and web forums.
For the end user, this could mean that one day you try to log into your VPN, and it won't work because your simultaneous connection limit has been maxed out by other users around the world. Even worse, the VPN account you paid for might be used for illegal activities, such as conducting DDoS attacks.
Why This Can Be Bad for Security
We monitor several Facebook and Telegram channels that post new VPN user login details from well-known VPN providers almost every hour. These logins are then reposted across many different Telegram groups, exposing thousands of VPN account logins to a massive audience worldwide. You might think that a few thousand VPN credentials can't cause much harm, but consider this: each account usually allows ten or more simultaneous connections. This means that a thousand VPN logins can equate to well over ten thousand simultaneous VPN connections.
While these could potentially be used to mount HTTP DDoS attacks from a few VPS, a worst-case scenario involves someone with malicious intentions utilizing the large number of VPN logins to access a massive IP pool spread across five or more VPN providers. This pool could then be harnessed to disguise a distributed brute force attack against other vulnerable VPN appliances, SSH services, and APIs. This type of attack can be difficult to defend against or even recognize due to the varied IPs used.
Cisco has recently warned against a global surge in brute force attacks, and judging by the recent increase in the availability of compromised VPN credentials, this trend is unlikely to stop anytime soon.
Where Are the Leaked VPN Credentials Coming From?
Just because a large batch of paid VPN credentials from a certain provider is compromised doesn't necessarily mean that the VPN provider itself was hacked. The vast majority of leaked VPN user details are linked to security breaches from other third-party leaks, as seen on websites like haveibeenpwned.com. This suggests that the credentials are being harvested directly from VPN providers' authentication APIs using previously compromised passwords. Since recent high-profile data breaches, this trend has only increased and shows no signs of slowing down.
For this reason, it's crucial for users to choose complex passwords and avoid reusing passwords across different websites. However, the responsibility shouldn't fall entirely on consumers. VPN providers must also take proactive steps to protect customer information. This includes monitoring platforms like Facebook, Telegram, and other forums for compromised credentials and resetting customer logins when breaches are detected.
Just a Few Examples
Free logins for nearly every popular VPN provider can be found in various online groups, and TorGuard is no exception. We actively monitor many websites for TorGuard user credentials and automatically send password resets to prevent accounts from being abused.
Many times, the groups distributing leaked credentials will promote them as a "Free Giveaway," even though the credentials are indeed leaked and users are impacted by multiple third-party breaches. Other web forums will simply refer to them as what they are: hacked VPN accounts. Here is a very small example of a few posts from Facebook and Telegram featuring numerous leaked VPN user credentials:
By bringing awareness to this growing trend, we hope that other VPN services will take a more proactive approach in resetting or disabling user credentials when they have been leaked. Just like wireless router manufacturers, VPN providers also have a responsibility to ensure their products are not weaponized into mass botnets that can cause real-world harm. We've seen how relatively simple exploits, such as password spraying attacks, can lead to devastating results. It is crucial to protect services intended to increase security, like VPNs, so they are not misused to have the opposite effect.
