Report on compromised VPN passwords: What does it mean for ExpressVPN’s customers?

On September 17, 2024, Specops reported that in the past year, upwards of two million VPN account passwords have been compromised. 

ExpressVPN was the second most-affected provider, making up 4.4% of the stolen passwords. As an industry-leading VPN service with four million active users globally, this represents between 2% and 3% of our total current user base—but there’s no way to confirm whether the compromised credentials belong to active or past users. 

It’s important to note that neither ExpressVPN nor any other VPN provider was compromised. These leaked login credentials are the result of different forms of malware ranging from brute force attacks to sophisticated phishing attempts. 

The original report doesn’t include any source data or methodology, so we don’t know how many of the breached logins are current credentials. While this might not be the most rigorous report, it’s still a reminder of the steps we should all take regularly as internet users to protect our peace of mind online. With this in mind, we encourage all our customers to take steps to secure all their password-protected accounts. 

How to protect yourself from data breaches

Learning proper password hygiene is crucial to keeping your accounts safe. These are the steps we recommend you take.

Change your password

The report shows that the most common breached passwords overall are, unsurprisingly, “123456,” “123456789,” and “12345678.” The most common word passwords are “admin” and “password,” with “qwerty” and “P@ssw0rd” also making an appearance. This highlights why using strong, unique passwords is so important.

While you don’t need to change your passwords frequently, updating them after a data breach is essential to protect your accounts. We recommend: 

• Using a password generator to create the strongest possible passwords. Strong passwords are long, random, and unique: long passwords take longer to crack via brute force, random passwords are hard to guess, and unique passwords don’t appear in databases.
• Using a password manager. Strong passwords are hard to remember, so storing them securely is essential. Our built-in password manager, ExpressVPN Keys, uses zero-knowledge encryption built on our proprietary Lightway protocol to ensure no-one—including us—can see your passwords. It also alerts you if any of your saved passwords become compromised in a data breach.

Use two-factor authentication

Two-factor authentication (2FA) is a secondary measure you can take to prevent unauthorized account access. When 2FA is enabled, you’ll be prompted to enter a one-time password, sign in with biometrics, or answer a personal security question after entering your username and password.

Learn about phishing practices

The most effective way to prevent phishing scams is learning to recognize them. The goal of these attacks is getting you to hand over personal information that can then be maliciously exploited, and while they’ve been around longer than the internet, they’re becoming increasingly more sophisticated. For example, phishing emails typically include poor spelling and grammar, but tools like ChatGPT make it easier to create legitimate-looking messages.

There are some basic rules you can follow to protect yourself:

1. Never click on suspicious links. Risky links could trigger malware downloads or take you to pages like fake login screens that encourage you to share personal information.
2. Don’t download attachments from unknown sources. Attackers hide malware in files, and downloading them could install malware, spyware, or ransomware on your device. 

Use antivirus software

Antivirus software scans attachments, domains, and links against databases of known malware files. It stops you from downloading problematic files or entering malicious sites.

Additionally, advanced security features like ExpressVPN’s Threat Manager prevent your device from communicating with any third party known for tracking activity or behaving maliciously, making it harder for sites or spies to track what you’re doing online. 

What kind of malware attacks could lead to stolen passwords?

The Specops report speculates on several kinds of malware or phishing attacks that could have led to peoples’ logins being compromised, but it’s not conclusive. Possible attacks include: 

Website spoofing

Hackers create fake websites that mimic the site you’re trying to access, like a VPN login page. Your email and password are collected when you enter them.

Domain spoofing

Similar to website spoofing, attackers build fake domains that mimic real, known websites. When you enter your information, it’s sent straight to the hacker.

Evil twin attacks

Hackers set up fake Wi-Fi networks. When people connect to them, their details can be captured and stolen, or malware can be sent to their devices.

Keylogging

Once installed, keyloggers track users’ keystrokes, revealing sensitive input such as passwords. 

How ExpressVPN protects your credentials

While this password breach wasn’t on us or any other VPN provider, we take credential compromises seriously. As well as a password generator and built-in password manager, we currently have a bug bounty in place where we regularly receive reports of compromised credentials. When they’re identified, we reset affected users’ passwords in an effort to restore control back to the rightful owner.