The research team analyzed VPN compromised credentials between August 20, 2023, and August 20, 2024, and found that 2,151,523 users' passwords had been stolen by malware during the period.
Among these, over a million (1,306,229 to be more precise) came from users of one of the best free VPN services on the market, Proton VPN. ExpressVPN and NordVPN follow suit as the most stolen credentials with 94,772 and 89,289 respectively.
The most common password to be compromised was 123456, which was found to be leaked 5,290 times. Despite this, the findings suggest that users had mostly used unique or strong passwords. "But this hasn’t stopped them from becoming compromised," noted researchers.
Users may have been tricked into giving away their secret login details on fake websites impersonating the VPN provider. Cybercriminals are used to taking advantage of reliable brands to carry out phishing attacks. Keylogger malware could also be used to capture keystrokes, including VPN passwords.
A NordVPN spokesperson also suggests that cybercriminals may have used so-called credential stuffing attacks to compromise VPN passwords. This type of attack takes advantage of the people's tendency to reuse the same password across different accounts, by trying to match previously leaked credentials with other services.
"Credential stuffing is a problem not only for us but for almost every other digital service and website," explained NordVPN.
Similarly, Lauren Hendry Parsons from ExpressVPN highlights how the leak didn’t occur through the compromise of any VPN provider, but in a range of ways such as brute force attacks and sophisticated phishing.
"Given that ExpressVPN is a leading VPN provider with 4 million active users around the world, it stands to reason that a substantial number of ExpressVPN credentials are included in this report," she told me. "Importantly, we cannot know how many of the identified credentials are active versus expired."
Proton VPN, ExpressVPN, and NordVPN are the biggest targets
www.techradar.com