LimeVPN was the victim of a data breach that affected 69,400 users and their private data. The company’s public and private keys were also compromised.
According to statements made by a hacker the stolen database includes billing information, passwords in text files, IP addresses, billing information, and usernames among other things.
As reported by Threatpost, a PrivacySharks representative acknowledged that there had been a data breach at LimeVPN and that the hacker who grabbed the database had also taken credit for the site’s downtime. The company stated, “The hacker informed us that they have the private keys of every user, which is a serious security issue as it means they can easily decrypt every LimeVPN user’s traffic”.
Cybercriminals can decrypt internet traffic transmitted using LimeVPN and use it in their further operations.
Stolen information is marketed on a hacking forum
The data was marketed on the popular hacking community RaidForums by a hacker known as slashx. He first stated that the data set contained approximately 10,000 entries and set a price of $400 for the data package. Following that, he increased the count of the records and informed researchers that he was able to carry out the data theft by exploiting a security flaw.
Additionally, the RestorePrivacy investigation team revealed that the hackers did not steal any credit/debit cards or bank information because they used WHMCS as a third-party payment processor. Nonetheless, the hackers claims he has complete access to the WHMCS database through the LimeVPN data hack.
The event calls into question LimeVPN’s credibility, as the firm advertises its services as not recording logs of user activity. Yet the aforementioned information is contradicted by the availability of the allegedly stolen records.
PrivacySharks advised their users to replace or freeze their credit/debit cards, as well as change their passwords immediately. Another piece of advice that consumers should consider is enabling two-factor authentication.