VPN providers have definitely upped their game in recent years but there is still plenty of way to go. I’m taking a look back at the Top 5 most serious VPN scandals that have forced the industry to implement greater security and help shape it.
VPN services as good as they are have only become popular for personal use in the past few years but as uptake has increased and the sheer number of providers exploded it has not all been good news.
With over 500 public facing VPN services across the world it goes without saying that one or two have fallen foul of their own success. Often this is being caught out by their own wild advertising claims but sometimes it’s simply by the scale they have grown in such a short space of time.
Below I’m rounding up the ultimate list of Top 5 most serious VPN scandals of all time.
1) HideMyAss Lulzsec ‘fiasco’
In what was and is still quite possibly the biggest case for a VPN scandal and the one that kicked everything off it’s the one that rocked 2011.
At the time a group of hackers calling themselves ‘Lulzsec’ were defacing some pretty high profile websites. This included the hacking of Sony Pictures and launching a DDOS against the UK’s Serious Organised Crime Agency (SOCA).
With such high profile targets, it was always going to be a matter of time before authorities caught up with Lulzsec and this came in part down to their use of the HideMyAss VPN service.
HideMyAss as a legitimate VPN service for security-conscious users never fully recovered. However, due to their memorable name and cutesy mascot are still used by millions of ordinary internet users unaware of what came to be known as the ‘Lulzsec fiasco’. In fact, they went on to be sold for many multiples of millions some years later.
HideMyAss at the time defended themselves by stating they follow UK law and it was essentially the first large-scale case that re-enforced the idea that choosing a VPN provider that stores ‘No Logs’ is best practice. As we’ll see in the next case this didn’t improve much.
2) EarthVPN bomb hoax
Claimed “No Log” VPN service EarthVPN was fingered in 2013 after a student in the Netherlands was arrested for sending bomb threats.
The student in question was making use of EarthVPN’s service and connected to one of their Dutch-based VPN servers.
In their defence, EarthVPN stated that they had no logs stored on their servers but the data-centre where they rented their services must have been storing some kind of logs that EarthVPN were unaware of.
While it’s commendable that the bomb-threat making teen was caught there were many across the internet that doubted EarthVPN’s claims.
This shadowy VPN provider operating out of the mostly unrecognised state of Northern Cyprus has had further questions asked of its legitimacy. As recently as this year after it appears they are operating in ghost ship mode.
3) Hola data sell
Hola became one the hottest ‘free’ VPN services in the middle of the decade with millions of users across the world. Combined with the fact at the time they allowed access to American Netflix and it was clear why they were so popular.
This came to an abrupt end when it was discovered the service was being funded by a commercial service known as ‘Luminati’. Luminati used Hola free-users’ connections as exit nodes essentially powering the service.
This meant while Hola users were browsing freely via their VPN service other paying users were utilising those user’s connections in the process.
Since the news broke the road has continued to be bumpy for Hola. Most recently in 2018, their Google developer account was compromised which led to an unofficial version of their browser extension being uploaded aimed at targeting user’s crypto-currency accounts.
4) PureVPN cyberstalking
Hong-Kong based, Pakistan ran PureVPN found themselves at the centre of one of America’s largest Cyber-stalking cases of 2017. A 24 year old named Ryan S. Lin who was recently jailed for 17 years for his crimes carried out a campaign of harassment and stalking against a former female roommate.
Lin launched a sustained and brutal harassment campaign over a number of months which led to an insurmountable amount of stress to his victim.
The US FBI who already had various sources of information pointing the finger at Lin managed to recover data that showed he had used PureVPN’s service amongst others to cover his tracks.
Working with PureVPN they were able to determine their service was accessed from both his former workplace and home address. This called into question PureVPN’s logging practises. Since the incident, PureVPN has gone on to answer their critics and update their logging policies.
5) IPVanish child abuse case
In a case that came to light in 2018 but took place in 2016, IPVanish found their by-now popular service may have been harbouring one or two bad eggs.
One such was American citizen Vincent Gevirtz caught in 2016 for sharing child porn images over the prehistoric chat system, IRC. The Department of Homeland Security traced Gevirtz as a user of IPVanish who was at the time owned by Highwinds.
Initially a request for information on the user in question was rejected. It is claimed that they were informed they should submit a more detailed request. Once received IPVanish handed over the required information which in part led to the capture of Gevirtz.
The case divided public opinion. While everyone agreed that Gevirtz crime was at the highest scale of depravity, IPVanish’s logging practises were called into question.
Since the incident happened IPVanish’s parent company had been bought out by Stackpath and in a statement issued by CEO Lance Crosby aiming to reassure users he reaffirmed their commitment to providing a completely ‘no log’ privacy orientated service.
Not all doom and gloom
After reading through the Top 5 scandals above you might begin to wonder if it’s even worth using a VPN.
Even the most well meaning VPN providers have often been at the sharp end of negative publicity. With so many claims and counterclaims, it’s often difficult to know who to trust.
Two providers who have been in the spotlight for potential negative feedback are ExpressVPN and Private Internet Access. Both have been at the centre of high-profile criminal cases and surprisingly unlike the five above have come out shining.
ExpressVPN found itself involved in quite possibly the highest-level case I’ve seen.
After a Russian diplomat was murdered in Turkey it appeared that someone involved in the case used ExpressVPN to cover their tracks. After requests to hand over data related to the case it was clear ExpressVPN via their no-logging policy had nothing to share.
Private Internet Access similarly has had their ‘no logs’ claims tested in two separate court cases which you can read about here and here. While some users still doubt the wording ‘proven’ the cases show that Private Internet Access is at least one provider who has had their claims put to the test.
The above five cases certainly aren’t an exhaustive list of VPN provider scandals but they’re certainly some of the most prominent that have helped shape the industry. I would love to hear your thoughts about other issues that have cropped up in the past or in the here and now.