Skip to content

How Could This Happen? LimeVPN‘s Security Shortcomings

In mid-2021, cybersecurity researchers uncovered a massive data breach affecting thousands of users of LimeVPN, a Hong Kong-based virtual private network (VPN) provider. An unauthorized hacker was able to gain full access to LimeVPN‘s website, backend servers, and entire customer database. They proceeded to steal hordes of users‘ personal information and put the data up for sale on hacking forums and dark web sites.

This shocking breach exposed highly sensitive details on an estimated 69,000 LimeVPN subscribers worldwide. According to screenshots shared by the hacker, the stolen user data includes IP addresses, email addresses, passwords, billing information, and other identifying details that could be used to infiltrate people‘s online accounts and digital lives.

For LimeVPN‘s customers, this worst-case scenario breach jeopardizes their privacy and security in countless ways. Below I‘ll analyze how this happened, the significant risks involved, and most importantly, what you can do to protect yourself if you were impacted by LimeVPN‘s failure.

LimeVPN advertised itself as an ultra-cheap VPN solution, with plans starting at just $1 per month. However, behind the low price tag were risky privacy practices and major security gaps that left customers dangerously exposed.

As experts point out, LimeVPN had several weaknesses that likely empowered this breach:

Minimal encryption – They appear to have only used baseline encryption protocols like AES-128 bit and TLS 1.0. Many VPNs now use AES-256 bit encryption or greater, which is exponentially harder for hackers to crack.

Insecure protocols – LimeVPN enabled less secure VPN protocols like PPTP and L2TP. The best providers only use OpenVPN or WireGuard which are far more private.

No leak protection – Leak protection like IPv6/DNS/WebRTC shielding helps keep VPN traffic secure. LimeVPN failed to implement these safeguards.

Jurisdiction concerns – Hong Kong lacks strong data protection laws and is part of the 5 Eyes intelligence network. Users had little recourse or oversight.

Weak logging policy – While LimeVPN claimed a no-logs policy, researchers found they still logged basic connection data and likely tracked/sold user activity.

Minimal vulnerability testing – Leading VPNs routinely submit to independent security audits and penetration testing. LimeVPN does not appear to have taken these steps.

Questionable ethics – As a budget VPN, LimeVPN relied on reselling user data to third parties to turn a profit while promising privacy. This contradiction puts users at risk.

With these security shortfalls, it‘s unsurprising that hackers were able to fully compromise LimeVPN‘s systems and access their entire user database without penalty.

Make no mistake, the hacker who stole the data is ethically and legally in the wrong. However, LimeVPN utterly failed its users by not taking privacy and security seriously. A truly trustworthy VPN operates transparently, undergoes rigorous independent testing, chooses privacy over profit, and invests heavily in enterprise-grade infrastructure to prevent exactly these kinds of breaches. LimeVPN did none of this – and 69,000 users are now paying the price.

A breach of this scale has severe implications for impacted LimeVPN subscribers. Based on the stolen information and how it‘s being sold online, here are some of the biggest dangers users now face:

Financial fraud – Payment information linked to users is now in the hands of criminals. They can drain bank accounts, clone credit cards, and force victims to financial ruin. One study found 25% of breached users had fraudulent charges over $5,000.

Identity theft – With access to names, emails, passwords and other PII, hackers can easily impersonate users and open accounts or file fraudulent tax returns in their name. 65% of identity theft victims have to spend over 200 hours resolving the fallout.

Account hijacking – Credentials exposed in old breaches are frequently reused in new attacks. 84% of users reuse passwords making LimeVPN users prime targets for account hijacking across many services.

Phishing & malware – Detailed profiles on users let hackers craft believable phishing messages and scams. Expect a surge in phony emails and texts requesting you "verify your account" info or download malware.

Stalking/harassment – For some high-risk individuals, breached location, email, and identity data could enable stalkers and domestic abusers to track them down online or physically.

Reputational damage – Associating email addresses with a service like LimeVPN can negatively impact things like background checks and social standing.

This breach jeopardizes practically every aspect of users‘ financial, social, and digital lives. And once your data enters the dark web, getting it removed is nearly impossible. Criminals can buy, sell, trade, and abuse this information indefinitely.

The risks are just too high. Anyone whose data was stolen absolutely must take action to lock their accounts down and monitor for fraudulent activity. But first, let‘s explore how hacks like this happen.

LimeVPN has not yet provided details on how this hack occurred. Based on similar VPN breaches and LimeVPN‘s known security gaps, experts surmise the attack may have gone down like this:

First, the unknown hacker likely scanned LimeVPN‘s servers and website for vulnerabilities. They possibly looked for flaws like:

  • Unpatched security bugs in LimeVPN‘s OpenVPN or website software

  • Default/weak passwords on admin accounts that weren‘t properly changed

  • Misconfigured VPN servers and incorrect firewall rules

Finding even one small opening, the hacker then intruded into LimeVPN‘s systems, unnoticed and with LimeVPN‘s weak monitoring. Once inside, they traversed the network looking for the ultimate prize – LimeVPN‘s customer database.

After discovering the full database, possibly on LimeVPN‘s Hong Kong servers due to fewer data protections, the hacker exfiltrated a copy of the user details, covering their tracks as they left.

Finally, the hacker took the database to hacker forums to boast of their feat and profit off selling user records in bulk packages and individually.

While just an educated guess based on previous breaches, this shows the ease with which hackers can infiltrate underprepared VPN providers like LimeVPN. It further shows why rigorous security protections and audits are non-negotiable when choosing a trustworthy VPN.

Now, let‘s explore how you can shield yourself if your data was exposed.

If you were among the 69,000+ users impacted by the LimeVPN breach, prompt action is necessary to keep your other accounts and identity secure. Here are the steps I strongly advise LimeVPN victims take:

  1. Change online account passwords – Anywhere you reused your LimeVPN password is now highly vulnerable. Update passwords on financial, email, social media, utility, and other accounts. Use long, random passwords for each account. Consider a password manager.

  2. Enable two-factor authentication – Add an extra layer like biometrics or security keys to prevent account access even if hackers have your password. Prioritize securing email, banking, and identity accounts first.

  3. Place fraud alerts – Contact Equifax, Experian and TransUnion to place 1 year fraud alerts on your credit that require verification for new accounts. This limits identity theft damage.

  4. Consider a credit freeze – Freezing your credit files outright blocks access to your credit until you unfreeze. Stop thieves from opening new credit cards and accounts.

  5. Monitor financial statements – Review credit card and bank accounts daily for fraudulent charges. Report any suspicious activity ASAP to limit losses. Consider asking your bank for a new account number.

  6. Beware phishing scams – Ignore and delete any shady emails referencing your accounts – hackers will try tricking you via phishing. Never download email attachments or click embedded links.

  7. Use antivirus & firewall software – Scan all your devices to remove any potential malware. Switch on firewalls to provide device and network security from intrusions.

  8. Sign up for identity theft protection – Services like IdentityForce provide dark web monitoring for your information and insurance against losses from ID theft. Well worth the cost.

  9. Permanently delete your LimeVPN account – Remove payment info from compromised accounts ASAP. But first, contact LimeVPN to ensure they properly delete your data from their compromised systems.

  10. Switch to a more secure VPN provider – Use this breach as motivation to upgrade to a fully vetted premium VPN like ExpressVPN, NordVPN or Surfshark. Prioritize zero logging and independent audits.

While exhausting, taking these steps is truly necessary following the scope of the LimeVPN breach. Don‘t wait – work your way through this checklist methodically to close security gaps before criminals exploit them.

Stay vigilant in watching for new phishing attempts, fraudulent charges, and other suspicious activity. With cautious monitoring and protection measures in place, you can reassure yourself you‘ve done everything possible to shield your accounts and identity.

LimeVPN failed its users catastrophically. But let their mistakes guide you toward better privacy practices for all your online activity. Insist on security and anonymity from any service that handles your personal data.

I know this breach has caused major stress, uncertainty, and disruption. But please know you have an ally who wants to help guide you through this safely. Don‘t hesitate to reach out with any other questions or concerns. We‘ll tackle this together, one step at a time.


Streamr Go

StreamrGo is always about privacy, specifically protecting your privacy online by increasing security and better standard privacy practices.