VPNs are often marketed as impenetrable shields, promising anonymity and security with just a single click. Yet history tells a different story. Over the past decade, even the most well-known providers have suffered serious breaches, leaks, and lapses in transparency—sometimes exposing millions of users to surveillance, identity theft, or worse.
Here, we examine the most significant VPN breaches to date and explore how each incident has reshaped the conversation around online privacy. These aren’t just isolated slip-ups; they’re critical reminders that no tool is perfect and that blind trust in any privacy product can be dangerous.
We’re also including practical steps to help protect yourself today, as well as key indicators that distinguish trustworthy VPN providers from those that merely claim to value your privacy.
Counting Down the Biggest VPN Breaches
Data breaches vary widely in scope and impact. Some involve limited data exposure or uncover vulnerabilities that are quickly patched, while others result in the compromise of entire databases. While all breaches are important, we’re highlighting those that caused major disruptions or had a significant impact on the industry. We’ve excluded minor incidents, so this is far from a comprehensive list, but rather a focused look at the most critical breaches, ranked from least to most severe.
Of course, no company is immune to breaches. Novel attacks are continually being developed and deployed by hackers and counter-government agencies. Accordingly, the VPNs mentioned below shouldn’t be automatically disregarded due to an isolated security incident. How a company responds to a breach is equally as important as the breach itself. Along with our rigorous testing process, we thoroughly examine a VPN’s history and its response to attacks, breaches, and inquiries before recommending it.
An incident that didn’t result in significant data loss and was rectified quickly is indicative of a proactive service that can adapt and respond to attacks. A major incident that resulted in mishandling data or misleading users is a much bigger issue and one we weigh heavily when considering the service as a recommendation. Time and a proven record of change can increase our trust in a VPN after a security failure, but such changes must be significant and demonstrate that the VPN has taken adequate measures to protect its users before we will give it our approval.
10. Hundreds of Free VPNs Put User Data at Grave Risk (2025)
Zimperium released a report analyzing more than 800 free VPNs available on Android and iOS and found that the vast majority severely lacked adequate privacy measures. Zimperium confirmed that malicious VPN apps are not merely a thing of the past. This is why we only recommend trusting free VPNs from reputable services.
9. NordVPN Third-Party Data Center Breach Raises Infrastructure Concerns (2018)
A NordVPN server in Finland, operated by a third-party data center, was found to have a security vulnerability that allowed a hacker to gain unauthorized access. While the attack did not result in any compromised user data, it highlighted the vulnerability of VPN companies and their reliance on third-party infrastructure that may not adhere to the same privacy standards as the VPN. Nord wasn’t notified until a year after the incident, further highlighting the risks associated with hosting user data on externally managed servers.
8. TunnelVision Attack Reveals New Vulnerabilities in VPN Protocols (2024)
A researcher at Leviathan Security Group discovered a new attack, dubbed TunnelVision, that can compromise any VPN client connection under certain conditions. In short, this attack creates a side channel in a VPN connection, allowing a potential hacker to access unencrypted data. This vulnerability remains, and it is up to individual VPN providers to protect users against the threat. Nothing is secure forever. New threats and attacks are being developed every day. While you may be able to trust your VPN and its defenses now, novel exploits and attacks could undo current protections faster than many providers may be able to adapt.
7. HideMyAss Sparks VPN Privacy Revolution With LulzSec Incident (2011)
In 2011, HMA VPN complied with a UK court order and handed over user logs that tied an HMA account to an alleged hacking attempt against Sony. This incident shook the consumer VPN space, causing many VPNs to adopt no-logs policies and become more transparent about existing policies to avoid facing the same backlash that HMA did. HMA acknowledged the mistake and has since updated its privacy policy to be truly no-logs.
6. Cisco VPN Breach Highlights Importance of Multi-Factor Authentication (2023)
Akira and LockBit, two ransomware groups, employed a brute force attack that compromised Cisco’s VPN service, resulting in unauthorized access to user credentials. This attack was particularly effective against those who did not have multi-factor authentication (MFA) enabled. Cisco responded by issuing critical security updates that prevented 27 additional zero-day attack vectors. Successful attacks against enterprise and government-level infrastructure, such as those targeting Cisco, demonstrate that even tools considered more advanced than consumer options are vulnerable to the same threats.
5. Ivanti Pulse Connect Secure Breach Hits Government Devices (2021)
A suspected Chinese hacker group exploited a zero-day vulnerability in Ivanti’s network to compromise devices used US the US and EU governments. The breach was the third in a series of attacks that occurred in 2020 and 2021, and the compromised devices remained undetected for months. It is unknown what information was secured and exactly how extensively the network was compromised. Ivanti responded with security updates, and many users had to completely reset or dispose of affected devices.
4. Pure VPN CRM Exploit Shows Risks of Third-Party Services (2013)
An attack in 2013 exploited a zero-day vulnerability in Pure VPN’s third-party customer relationship management (CRM) software. The resulting leak compromised user emails and names. The hacker then used the stolen data to conduct a phishing scam against users. The incident demonstrated that relying on third-party services can be a hidden weak link, even if a VPN appears to be secure. Compensation was promised to affected users once the investigation was completed, but there is no public record of a payout or settlement being made.
3. Fortinet’s Repeated Credential Leaks Shake Enterprise VPN Trust (2020, 2021, 2025)
Fortinet isn’t a traditional VPN; rather, it is a cybersecurity company that offers VPN solutions and infrastructure to businesses. It’s commonly used as a remote access tool for enterprises rather than a consumer-level product. However, it has been impacted by multiple breaches. A vulnerability in 2020 resulted in the leakage of more than 50,000 VPN credentials, which included usernames, passwords, and unmasked IP addresses. A subsequent hack in 2021 exposed 500,000 usernames and passwords due to an unpatched vulnerability. Yet another attack in 2025, this time from Belsen Group, used a zero-day exploit that compromised more than 14,000 devices. Fortinet responded in all cases with patches, acknowledgments of error, and warned users to update their devices to secure their connections.
Recommended by Our Editors
2. Seven Simultaneous VPN Leaks Expose 1.2TB of User Data (2020)
A server shared by seven VPNs (UFO VPN, Fast VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN) operating in Hong Kong was found to be compromised. VPNMentor discovered the vulnerability and published a report documenting the event. The leak totaled 1.2TB of data, which included support chats, user browsing history, IP addresses, and stored activity logs in plaintext. The investigation reaffirmed that trusting unproven, unaudited VPNs comes with significant risks. It also showed that scandals don’t stay in the public’s eye forever. Many of the VPNs subject to this investigation continue to operate despite the gross mishandling of user information. Platforms like the Google Play Store may seem trustworthy, but many apps may put your data at risk.
1. Hola VPN Botnet Scandal (2015)
More than 47 million free Hola VPN users unknowingly contributed to a botnet tied to the company’s sister app Luminati (now known as Bright Data), which sold access to the network nodes. Those same user connections from Luminati were then compromised and used in a distributed denial-of-service (DDoS) attack against the 8chan message board. This event was one of the first to highlight the risks associated with using supposedly free services. Hola VPN has refuted any wrongdoing, stating that the nature of its peer-to-peer (P2P) network was adequately disclosed to free users. While it has not ceased operating as a P2P network, the site now clearly discloses this fact and continues to share free user traffic with its sister site.
Building Trust With Your VPN: Practical Privacy Tips
Attacks like those mentioned above are likely to continue, especially with the potential rise of quantum computing. However, each incident has driven VPN providers to adopt greater transparency and implement stricter security and privacy standards. As threats evolve, so do the defenses against them.
A VPN’s privacy policy is a valuable resource for understanding what data the service collects. Ideally, a VPN should not keep any logs that could be traced back to individual users. Some short-term diagnostic data collection is common, but it should be minimal and temporary. For more insight into how we evaluate VPNs, check out our guide on the testing process and the criteria we use.
Get Our Best Stories!
Your Daily Dose of Our Top Tech News
Sign up for our What’s New Now newsletter to receive the latest news, best new products, and expert advice from the editors of PCMag.
Sign up for our What’s New Now newsletter to receive the latest news, best new products, and expert advice from the editors of PCMag.
By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
The Best VPNs We’ve Tested
We ensure that every VPN we recommend has been thoroughly evaluated for major flaws, inconsistencies, and vulnerabilities before we recommend it. Still, real-world incidents have shown that privacy policies and independent testing can only reveal so much. To dig deeper, we directly engage with VPN companies and interview their representatives to uncover information that isn’t always publicly available. Despite our careful vetting to identify and eliminate obvious scams and malicious actors, some risks remain unknown. Many security breaches happen due to hidden vulnerabilities or exploits that even the company itself may not be aware of. Additionally, third-party partners sometimes fail to uphold the VPN’s privacy standards, leading to leaks.
Ultimately, it’s wise to build trust gradually rather than fully committing upfront. Avoid locking yourself into long-term annual plans with a single provider. Use disposable emails and one-time payment methods to protect your anonymity. Create a comprehensive privacy toolkit including a password manager, multi-factor authentication, and encrypted messaging apps. By limiting the personal information you share voluntarily, you significantly reduce your chances of falling victim to a data breach—whether through your VPN or any other company trying to exploit your data.
About Our Expert
Justyn Newman
Senior Writer, Security
Experience
My writing journey started in 2012 and has taken me through various niches, but my main focus has always been on tech. I contributed to several growing PC hardware and software sites, focusing on gaming, peripherals, and privacy.
As the amount of information we put out on the internet has grown, so have the threats and the tools we use to combat them. With VPNs gaining traction in the late 2010s as a tool for the public instead of just an option for business security, I found myself reviewing countless options in this continuously changing landscape.
This led to my role before PCMag over at WizCase, where I honed my knowledge of VPNs and privacy tools and eventually oversaw all of the content produced. I led a talented team of fellow writers and editors to evaluate VPNs, password managers, antivirus, and parental controls.
Read Full Bio
