PureVPN Hit With A Zero Day Exploit, But CEO Says Email Alleging Data Compromise Was Fake
PureVPN — one of the VPN tunnelling services that assign new IP addresses to a users’ connected devices, useful for those accessing the Internet in firewalled countries or those who want to use services that are usually geo-restricted at their current location — has been dealt a double blow by malicious hackers in the last several hours: a zero-day exploit via a third-party CRM service the company uses; and then a subsequent letter sent out to some users alleging account closure and a data compromise, which is fake.
PureVPN founder Uzair Gadit tells us that there is no issue with the service. “Our VPN service is functioning 100% fine and there is no interruption whatsoever,” he wrote in an email, adding that while the company is investigating the cause of the email, “we hereby confirm that, as we do not store any of our users’ credit card nor PayPal information in our on-site databases, there has been no compromise in our users’ personal billing information.”
The incident highlights how while VPN tunnelling services are often thought as more secure routes for those worried about data compromises, they are not immune from attacks themselves. Perception of these services can be especially precarious considering that they have not been immune to crack-downs from restrictive governments in the past, such as in this incident in China from December 2012.
The PureVPN story was brought to TechCrunch’s attention by one of PureVPN’s customers who is based in China. Several hours ago, he sent over the following letter, noting that his account was closed, and that his billing information was being handed over to authorities, who might be contacting him in future:
A couple of hours later, his first email was followed up with another, which noted that the earlier email was fake:
“We are sending this note as a clarification,” the note said. “We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor do we store our user’s personal data to share with anyone.” The company says that while the VPN service remains fully operational “secure to the highest possible levels of encryption,” it has disabled the billing portal and client area while it is investigating the issue. The company is also posting updates on its blog.
We reached out to PureVPN about the two emails, and Gadit gave us a bit more information about what has happened.
He says that the email appears to have hit only a subset of all of PureVPN’s users, but the fact that our tipster was in China is not an indication that it’s only users in that country who may have been affected, with email IDs and names being the only data that appears to have been accessed.
“I confirm that the subset is NOT limited to Chinese users,” he says. “The motive is yet unclear.” Gadit says that PureVPN has hundreds of thousands of users from over 100 countries worldwide.
“There is NO issue with the service, there has been a fake email sent to some of our users talking about legal issues and other misleading stuff. Our VPN service is functioning 100% fine and there is no interruption whatsoever,” he wrote. “While we are investigating the cause of the email we hereby confirm that, as we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users personal billing information. Similarly, service troubleshoot logs (connection attempts, users IPs and location) are safe and intact as we do not store such logs on site. Furthermore as we vouch for privacy, security and anonymity on the internet we do not store actual VPN service usage logs so there is no point in users’ privacy or anonymity being breached.”
He says that initial reports “suggest that we [were] hit with a zero day exploit, found in WHMCS.” This is a third-party CRM service used by PureVPN on its site. WHMCS had to release a security patch on October 3. At the time, it noted that “the vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information.”
So far, this, combined with PureVPN’s growth itself, are Gadit’s two reasons for the breach. “Clearly we are getting more and more popular crossing new heights too fast,” he wrote. “Such attacks are not unexpected with popular services these days. Such incidents only add to our resolve to emerge as more securer and faster privacy and security VPN service.”
He said that PureVPN is working on posting a complete report when it has completed its investigation.
In the meantime, if you’re a PureVPN user, be extra vigilant in looking out for any emails that ask you to reconfirm any billing details that you use for the service — they may be related to data collected during the zero-day exploit. (That goes on top of being vigilant against the many other kinds of phishing emails you may get every day.)