Credentials of real VPN users uncovered. Many of those affected are now in danger.

Usernames and passwords of hundreds of thousands of VPN customers uncovered.
These credentials are still publicly available.

In publicly accessible forums and databases on the internet, there are hundreds of thousands access data of VPN customers. These confidential data include email addresses as well as passwords. Even if one does not get directly into trouble through this, except that one has to reckon with it. The third party has to use one’s own VPN account. However, many also use the email addresses and passwords with their other online accounts such as email mailboxes, cloud storage or in social media. the danger for the affected users is thus high.

(VPNTESTER on 9th february 2021)

What has happened?

VPNTESTER security experts are constantly on the lookout for security vulnerabilities that can be exploited by attackers on the Internet. In the process, we have come across a large number of hacked VPN accounts.

Our experts have found evidence of hacked users and their VPN account credentials in some closed Telegram groups three months ago. Further investigation has revealed that the number of users, who had become victims of the hacks, can exceed hundreds and thousands. Meanwhile, we have found thousands of  published VPN user credentials and every day we find even more data. So a very large number of users is apparently affected.

In the course of our research, we have also been able to investigate some of the sources of this data, and found out that this could be traced back to automatic brute-force attacks as well as to the previous password releases. Probably, some of the hacked users also used browser extensions that routed the users’ data through the insecure proxy servers, and this is another way of how many of them have become victims of this data theft.

Some Telegram groups are already closed. New groups appear.

Of course, we have already reported the affected Telegram groups and they have been closed by Telegram. However, we have previously extracted the data and therefore provide users with a query to find out whether they themselves or their passwords have now become a part of this data published on the Internet.

Hundreds of thousands of real user data from VPN providers can be found on the Internet.

user data of thousands of NordVPN customers are publicly accessible
user data of thousands of NordVPN customers are publicly accessible

Immediate danger for users!

Hacked VPN accounts can also be a danger for other web services used by the same users because many people have the same passwords for different websites.

Thus, it is possible to get access to email accounts or other services with these credentials and then use them for one’s own purposes. Kirill Kharun, an expert from VPNTESTER, confirms that a large part of the user data can be used on other web platforms and also on the users’ email accounts or cloud data spaces and more…

“As a result, other people will now have access to the data of the affected users and it is feared that this will cause significant damage.  Very often, the same data can be used to access people’s email accounts or cloud storages. This is certainly a serious matter for the people concerned. That is why we try to proactively inform the affected users about this.” – (Kirill,

How did we get the private credentials data?

We have been researching publicly available data in our team. We have found real user names from NordVPN. At first, we thought that these were hacked passwords, but we have quickly realised that the amount of data we found from NordVPN, ExpressVPN, CyberGhost and some other VPN services was more likely to be due to organised measures. That is why we have increased our efforts.

Why we provide the data?

All the data we have collected so far is in publicly accessible forums, telegram groups or in darkweb forums. We have not paid a cent for the data and make it available in a specially secured database. A random check showed that some of this access data can also be used for email accounts or cloud users. This poses an enormous risk for the people concerned. That is why we have decided to make this data publicly available.

We continue to collect data and, of course, constantly compare it with the existing data. Therefore, we can safely claim that we have created the largest data collection of VPN access data on the internet, which exclusively concerns real user accounts and persons. This database grows almost daily by hundreds of thousands of new records.

How much user data is publicly available at the moment?

It is impossible to estimate how much user data is actually published at the moment. We have collected hundreds of thousands of data records, compared, and checked them. We stored the results in a central secure database, which currently contains more than 400,000 entries. But the number is growing all the time. We estimate that millions of users will be affected, worldwide.

Do public or closed groups on Telegram disseminate user data on the internet

NordVPN users credentials
NordVPN users credentials

Where did these VPN credentials come from?

Following an intensive review by VPNTESTER experts, more than 25% of the credentials used were already victims of other previous hacks from platforms such as Twitter, Dropbox, Ledger, bitly and others. The same user credentials that these users apparently used on VPN accounts were therefore used again.#

Since we have been able to collect data from many different sources, not all of which are directly related, we also assume that not all of the data was collected in the same way. Different methods, however, lead to the same result, i.e. that actual user data from real people is publicly accessible.

1. Insecure passwords

About one-third of the passwords were found in typical password lists, which are also used in brute-force attacks. This means that the passwords are so easy to guess that they can be easily found out even by automated queries. This also suggests great negligence on the part of most users when creating their passwords.

Example: We have found many users who use such passwords like “password” or “12345” which makes it, of course, an easy task for the hackers to find them out. With Brute force attacks, hackers try out public E-Mail addresses as usernames with multiple random passwords. As a result of such automated attacks, hundreds of real credentials can easily be found.

Much of this access data has already been found as a part of the other public data leaks, such as in the databases of users or users. of course, these data are also tried out by hackers on other services. according to our studies, this results in many hits. unfortunately, a large number of users have not learned anything after the hacks published in the media and use the same passwords as always.

2. Insecure proxy servers & FREEVPN apps

However, the presence of unsafe proxy servers used by users cannot be ruled out. In this regard, we would like to point out again that many browser extensions are themselves classified as secure, but user data is then routed through intentionally controlled proxy servers through the browser without any additional control.

On these proxy servers, all kinds of data can be filtered out in plain text and hackers deliberately extract data such as usernames or passwords in the process and thus can also collect user access data almost automatically.

Example: FREEPROXY lists does contain very often proxy-severs with the aim to steal data from users. By filtering the whole data transmissions it is easy for hackers to find out usernames and passwords from used online accounts.

There are other ways in which hackers can find out user data. However, since they are certainly not able to collect so much user data in such a short period of time as we have found out, we will not go into this directly here.

Have the VPN providers been hacked?

There is currently no indication that VPN servers or systems are responsible for data theft. The credentials of VPN clients have been released, but it can be assumed that they were direct victims of hackers. VPN users themselves bear only a small risk, as VPN services can automatically detect usage by multiple users at the same time using its own security systems, and then instruct the actual account holder to change the password.

A VPN account is not in great danger

So there is no problem for a VPN account, but many users are often bypassed if they have used the same access credentials and passwords for other web services or email accounts. Because as soon as user data becomes known on the Internet, people will also try to use it to gain access to other platforms. According to tests by our experts, at least 10% of hacked VPN users also used their credentials to gain access to their email accounts. And accessing an email account usually also allows you to access other web accounts like Facebook, Twitter, Instagram, Google Drive or many other applications through the password reset.

How do hackers earn money with this?

Access data is usually freely available but it is also can be sold on trading platforms, for example. Among other things, local media companies that are designed for private traders have offered such account data for very little money. But these access data have also been sold on Buyers are usually happy that they get a subscription for a longer period of time for very little money, but unfortunately, this account data is then often invalid after a few days or weeks, when the user who actually owns the account changes his password.

How can I check whether my access data is also affected?

We have created a queryable database below that provides the emails and passwords of more than 259,000 VPN accounts that have been published. With the following queries, everyone can check if his data has been published as well. Since we are constantly expanding the list of affected accounts, we also offer to inform users automatically in the future if they should be affected. (Select option Notification)

Have your credentials leaked?

Check your EMail or password if your account credentials got published on the web. Fill in your EMail address which you use for the VPN service or fill in your password. We will securely ask our database and will replay with the information about if you account was published and which data we have stored.


If data (email or password) used by you was found, this means that this data was or is also publicly accessible. In this case, you should immediately change the passwords of all accesses related to this email. Use different passwords for all applications!

Be aware that these credentials could be otherwise used to access your E-Mail account or your example iCloud or Dropbox account as well!

We do not collect or store any of your data which you will given here!

If you are interested in sharing this data query with your friends, you can share this page with them. If you have your own website, we can help you to use this query box on your website.

Which VPN providers are affected?

We are constantly searching and finding more sources with published access data. Customers of popular services such as NordVPN are naturally affected more often than users of  less known providers.

Our database contains credentials from almost 10 different VPN services:

  1. NordVPN
  2. ExpressVPN
  3. CyberGhost VPN
  4. PureVPN
  5. TunnelBear
  6. IPVanish VPN
  7. StrongVPN
  8. PIA (Private Internet Access)
  9. PrivateVPN
  10. VPN

Just because a provider is not in our database does not mean that user data cannot be found published on the internet. likewise, the number of published data sets found has nothing to do with the security of the VPN providers directly.

What do the VPN services have to say about this?

Typically, all VPN services are interested in informing their customers that their account credentials have been made public, but it is not their fault. But they could do more for the safety of their customers, as the following example shows.

A famous VPN Service has told us that when they hear about such cases (supposedly, they also have their own team that searches for such published data), they proactively contact users to ask them to change their password.

However, *****VPN has also refused to comment on our cases and has threatened us with legal action, if we claim that the brand itself has something to do with it. Of course, it’s also a bit frightening to see that the biggest providers on the market, try to keep the problem small rather than reacting to it proactively together with us. We have offered to share the data we have with *****VPN to proactively inform users, but representatives have refused. *****VPN  has declined to do so. (The name of the provider is not mentioned here for legal reasons.)

In any case, we can say that the VPN services themselves are not responsible for the publication of the data on the internet.

What else we want to note: (Privacy and responsibility)

We are aware of the responsibility that we now have to compile a database with a lot of personal user data. We therefore protect it by taking appropriate measures to prevent access by third parties. With this database, we would like to provide clarification and also give the affected users the opportunity to check their data themselves.

Erstellt am: 02/05/2021

Leave a Comment