Can a VPN Be Hacked? Yes! (+ How to Choose Safe VPNs 2021)
Yes, VPNs (like any cybersecurity product) can be hacked. I’ve been covering the VPN industry for the past 6 years and I tested dozens of the more secure VPNs, the same way hackers try to penetrate them.
After extensive testing, I found that not all VPNs are created equally. Top providers (like ExpressVPN) use advanced security features that would take years and millions of dollars to hack. On the other hand, some services (including many free VPNs) sell your data for revenue and intentionally expose you to malware or fraud.
Choosing the right VPN is important because it determines how much risk you’re exposed to. In this article, I explain how VPNs get hacked, tips to help you choose a secure service, and reviews of the safest providers on the market.
If you need a quick answer, jump down to see the toughest VPNs to hack.
The Basics: A Simple Explanation of How VPN Encryption and Redirection Work
In order to understand how hackers target VPNs, let’s first review how VPNs encrypt and redirect your internet traffic to protect you online.
First, your VPN uses encryption to scramble your data into unreadable code. To decipher it, you need the correct key — otherwise, it looks like a string of random letters, numbers, and symbols. Then, it redirects your internet traffic to a remote VPN server to bypass your Internet service provider (ISP) and mask your IP address. The best VPNs also erase records of the data that pass through their servers (like your real IP address, browsing history, etc.) — this keeps you anonymous and secure from your ISP, hackers, and others.
Without a VPN, everything you do online is totally exposed (even in incognito mode). Since your traffic isn’t encrypted or redirected through a secure server, your ISP and others can log and sell your data. If third parties acquire your real IP address, they can find your location and browsing history — this is a big concern especially in countries without net neutrality. I don’t know about you, but the idea of a cybercriminal finding this information terrifies me!
5 VPN Weak Points Hackers Target
A top-tier VPN keeps you much safer than using a free service or no VPN at all — but even the best providers have weaknesses that cybercriminals could try to attack. Before you commit to a long-term subscription, keep in mind these 5 weak spots so you can pick the safest service possible. To get your data, hackers may try to:
1. Break the VPN’s Encryption
While it might be a bigger risk with low-quality services, most cybercriminals don’t try to break the encryption used by high-quality VPNs because it’s too time-consuming, expensive, and difficult. It’s estimated that even the US National Security Agency would need 100 million dollars and over a year to try to hack one encryption key of a top VPN!
However, not all VPNs use the same encryption standards. For example, DES and Blowfish encryption are older and may be less secure — avoid any services that use these!
2. Steal Encryption Keys
For a burglar, it’s easier to break into your house if they steal the spare key under your doormat. The same is true for hackers — decoding encrypted data through programming is hard, so they usually try to steal encryption keys to decipher it. Hackers have successfully stolen keys from compromised VPN servers in the past.
Hackers use stolen encryption keys to perform Man-In-The-Middle (MITM) attacks to decipher data as it passes between 2 points. It’s like online eavesdropping — as if your mailman were to open a letter before putting it in your mailbox. Cybercriminals can even alter data sent to you. When you try to access a site, they send you a fake page to intercept your login credentials.
3. Take Advantage of IP and DNS Leaks
While taking advantage of DNS and IP leaks isn’t technically hacking, it’s a common vulnerability in low-quality VPNs.
Together, your IP address and DNS requests can reveal a lot about you — including your true physical location and everything you’ve done online. A VPN should be able to hide your IP address and DNS requests. But if there is an issue with the service’s software or it doesn’t include an automatic kill switch, cybercriminals could acquire your sensitive data through a leak.
4. Exploit Weaknesses in Servers
Some VPNs don’t directly own their entire network and may rent servers managed by data centers in other countries. If the VPN provider doesn’t properly oversee the management of these third-party servers, hackers might find weaknesses to enter the network. Since some VPNs still write data to hard drives, that means your information remains on the server until it’s erased during maintenance. If hackers penetrate a mismanaged server, they may have access to these data records as well as encryption keys.
5. Steal User Logs
Different services vary widely in how much data they store about users. But the more data a VPN logs about you, the more information is available for hackers to steal. Cybercriminals could enter a vulnerable server and steal user logs. There have been cases of free VPNs leaving their servers and extensive records completely exposed — thus revealing sensitive information like home addresses, full names, payment details, and browsing history. With such data, hackers could easily use it to blackmail you, commit fraud, or steal your login credentials.
Worse yet, I thought any VPN that said it had a no-logs policy would keep me secure — but that’s not always true. I was shocked that many services with unverified “no-logs policies” actually keep records of your IP address, connection times, and online activities. Some may even sell this data or share it with government authorities.
Biggest Risks If Your VPN Gets Hacked
If your VPN gets hacked, cybercriminals and other prying eyes can easily intercept the information you send from your devices. Here’s a few of the risks of using an unsafe VPN:
- Identity theft. If hackers intercept your private data, they could use it to set up accounts, borrow money, or commit crimes under your name.
- Hacked email, social media, and other accounts. If cybercriminals steal your login credentials, they could impersonate you and see your messages or personal documents.
- Bank account information stolen. Hackers can exploit low-quality VPNs to steal your online banking credentials to apply for credit cards or loans.
- Spying by your ISP. If your VPN doesn’t adequately redirect your traffic, you’ll connect through your ISP — allowing them to monitor your activity, location, and other data.
- Government surveillance. If your VPN gets hacked, it could let surveillance agencies see that you’ve accessed blocked sites — which may lead to fines or jail in some places!
- Smartphone taken over. Cybercriminals can use a compromised VPN connection to access any device connected to it. That means they could access all your data and even use ransomware to blackmail you into paying ransom to unlock your phone.
- Smart home devices hacked. If hackers use unsafe VPN connections to access your smart home devices, they may change the settings and break into your home.
Why You Should Definitely Still Use a VPN
Although there is a small possibility that even the safest services could be compromised, VPNs with strong security are still the best way to help protect you from hackers. Unless you’re an extremely high-value target, cybercriminals likely wouldn’t even try to hack a top-tier VPN service to get your data. It is much easier for them to access your devices that aren’t protected by VPNs. A secure service can:
- Encrypt your data with military-grade security so it’s unreadable to third parties like hackers, your ISP, advertisers, government surveillance, and others.
- Mask your IP address to hide your true physical location from prying eyes.
- Erase any trace of your online history so that third parties can’t track what you’ve been doing online (like accessing blocked content, torrenting, or exploring the dark web).
- Prevent your online activities from being tracked by marketers, websites, and others and stop targeted ads.
- Detect and protect you from harmful content like malware, ransomware, viruses, phishing scams, and more that could let cybercriminals steal your login credentials or take control of your devices.
How to Choose a VPN That’s Difficult to Hack
Based on advertising, I thought most VPNs offer the same level of protection — but my research showed me that I was wrong. I selected this article’s list of the safest VPNs according to the most important security features to protect you from hackers. When selecting your provider, make sure to:
1. Choose AES 256-bit Encryption
Most VPNs claim to offer the top encryption standards — but that’s not always the case. The best security includes AES 256-bit encryption.
VPN encryption is described in terms of its cipher (coding algorithm) and key length (decoding tool’s number of digits). Although there are many ciphers available (Twofish, Camellia, and others), AES is the most secure. Similarly, secure VPNs use keys that are at least 256 “bits” long because they’re complex and hard to hack. I feel safe using AES 256-bit encryption because even government agencies use this standard to protect state secrets.
2. Search for OpenVPN/IKEv2 Protocols
VPN encryption is based on a protocol, which is the set of instructions the algorithm follows. Choosing the right protocol is important because it affects your safety and connection. The 5 major protocols used by VPN services are OpenVPN, PPTP, L2TP/IPSec, IKEv2, and SSTP. Each option has advantages and disadvantages, but the top protocols with the best balance of speed and security are OpenVPN and IKEv2.
OpenVPN is the most versatile protocol for a variety of devices and is usually the default for high-quality VPNs. IKEv2 is useful on mobile devices and gives you slightly faster speeds (which is great if you want a VPN for gaming, HD streaming, or other data-intensive activities!). To stay extra safe, I always avoid services that use PPTP because it’s the least secure option.
3. Select SHA-2 Authentication
SHA-2 is the most up-to-date and secure authentication system available to make sure that your data stays safe. The hashed message authentication code (HMAC) is an algorithm that VPNs use to verify that transmitted data hasn’t been tampered with by third parties. SHA-2 and SHA-384 (a variant of SHA-2) are the most secure algorithms available. I always avoid services that use SHA-1, as this is an older code and may be vulnerable to cyberattacks.
4. Investigate the Server Network Management Policies
Since a VPN redirects your internet traffic through its servers, how it manages its network affects your security. If it doesn’t own its entire network, verify that your VPN encrypts and properly maintains third-party servers (as all the recommended providers in this article do).
Additionally, VPNs that run their servers on RAM provide you with extra safety compared to those that use traditional hard drive memory. That’s why many providers are shifting to RAM-based memory, which erases your data every time the server reboots. This is safer for you because the temporary records of your data exist for a shorter period of time.
5. Test IP Address and DNS Leak Protection
Use a VPN with IP address/DNS leak protection and a kill switch to prevent hackers from finding your location, device information, and online history.
I was frightened when I learned these leaks reveal such sensitive data — I definitely don’t want hackers finding my address. According to my team’s testing, all the VPNs in this article passed IP address/DNS leak tests. For extra reassurance, I was able to use this IP address tool to see if my location was hidden and conducted DNS leak tests to ensure my personal data was safe.
6. Research the No-Logs Policy
Most VPNs claim to follow no-logging policies — but I was shocked to find that not all providers follow the same standards. Only the best services don’t keep identifiable user information and have undergone independent cybersecurity audits to prove it. A VPN with a true no-logging policy doesn’t record your data when it passes through its servers. If hackers penetrate the provider’s network, they won’t find much since there are no logs about you.
To prevent cybercriminals from stealing records of your sensitive information, I recommend you research the details of your VPN’s no-logs policy before committing to a subscription.
7. Look for Features That Block Malware and Ads
Choose a VPN that includes (or is compatible with) malware and ad blockers. This feature not only blocks annoying pop-ups, but it also stops you from entering websites that host harmful content.
I thought I’d be secure if I practiced safe online habits (like avoiding suspicious ads). But hackers are skilled at imitating legitimate websites and there’s no way to determine if something is dangerous by its appearance alone. In fact, hackers often infect victims’ devices with malware on normal-looking pages. Some of the most common attacks include:
- Bait-and-Switch ad attempts — Normal-looking advertisements lead you to a compromised page that injects your device with malware.
- Cookie theft — Cookies contain a lot of identifying data on users; if your cookies are stolen, the attacker can access this information.
- Ransomware — This type of malware encrypts your data so you can’t access any of your device’s files. The hacker holds it “hostage” until you pay a ransom.
- Phishing scams — A legitimate-looking website steals personal information that you type into their entry fields.
- Malicious browser takeovers — Hackers modify your browser settings to make annoying ads pop up or change your homepage to a hijacker page.
- Clickjacking — Users are tricked into clicking hidden buttons on a website that actually link to malware.
- DNS Spoofing — Changes information in a DNS cache to redirect you to a dangerous website.
Quick Guide: 2 Toughest VPNs to Hack in June 2021
2 Safest VPNs That Are Hard to Hack (Updated 2021)
1. ExpressVPN — Protects You From Prying Eyes With Special Servers and Military-Grade Encryption Protocols
- Top-tier AES 256-bit encryption combined with nearly unhackable protocols secure your data
- Leak protection and an automatic kill switch prevent third-parties from spying on you
- Compatible with malware and ad blockers keep your safe from dangerous content
- 3,000+ encrypted servers in 94 countries for secure browsing
- Protects up to 5 devices at the same time
ExpressVPN has the best-available safety features necessary to protect you from hackers.
In addition to almost unhackable military-standard encryption and OpenVPN/IKEv2 protocols, ExpressVPN uses RAM technology on its servers. That means that your data is never written to disk and it gets deleted with every server reboot. I was really impressed because this is one of the safest ways to manage a server network. Even if hackers were able to enter one of ExpressVPN’s 3,000+ servers, the data and the intruder will only stay on the server until it is rebooted. You can be sure that no one will be able to spy on your activities by hacking ExpressVPN servers.
In 2017, Turkish police took ExpressVPN’s servers to try to find information about a murder suspect. But because of the no-logs policy, authorities couldn’t find any user data. This evidence should reassure you that ExpressVPN is serious about protecting you from third parties.
The idea of a hacker finding out where I live really frightens me, so I wanted to research ExpressVPN’s IP address and DNS leak protection. After dozens of tests with servers around the world, ExpressVPN always kept my real location hidden. Plus, if your VPN connection ever drops, its automatic kill switch will prevent your real data from being accidentally exposed.
Although it has all the security features needed to protect you from hackers, I was disappointed that ExpressVPN doesn’t have ad/malware blockers. But since it is compatible with other ad/malware blockers, I didn’t think this is a big deal. After all, ExpressVPN offers top security and works anywhere (it even works in China!).
Before committing to a long-term subscription, I recommend you try ExpressVPN risk-free using its 30-day money-back guarantee. If you’re not happy with the service, simply ask for a refund before the end of the period — I got my money back within 4 days.
ExpressVPN also works on: Windows, macOS, iOS, Android, Linux, routers, Chrome, Kindle, Firefox, PlayStation, Xbox, Switch, Apple TV, Amazon Fire TV, and Smart TVs.
ExpressVPN unblocks: Netflix, Disney+, YouTube TV, BBC iPlayer, Sling TV, Fubo TV, Hulu, HBO, ESPN, and more.
June 2021 Update! ExpressVPN has dropped prices for a limited time to a crazy $6.67 per month for the 1-year plan (you can save up to 49%) + 3 months free! This is a limited offer so be sure to grab it now before it's gone. See more information on this offer here.
- Military-grade encryption protocols for secure browsing
- Leak protection and a kill switch protect your data
- Malware and ad blockers for increased protection
- 7,000+ safe servers in 89 countries
- Protect 7 devices simultaneously
Like the other VPNs on this list, CyberGhost uses military-grade AES 256-bit encryption and either OpenVPN or IKEv2 protocols to protect you. On Windows, you can choose between these two top protocols, but only IKEv2 is available on Mac. You can be reassured that this encryption will keep you secure from prying eyes on its 7,000+ servers.
I was surprised to learn that Cyberghost has so many additional security features. To protect you from possible scams, you can use CyberGhost’s ad blocker to stop intrusive pop-ups, video ads, and banners. I was excited about this feature because nothing is more annoying than pop-ups that interrupt your browsing or streaming. Similarly, it also has a malware blocker to prevent you from entering malicious websites that could infect your computer. Since so many hackers use malware and ads to exploit you, these features gave me peace of mind.
In addition to these extra security features, CyberGhost also offers a unique automatic HTTPS redirect to ensure your browser loads the most secure version of all webpages. Since HTTP connections aren’t encrypted, your data could be intercepted by others. The HTTPS redirect will prevent you from accessing these unsecured connections accidentally. Personally, I thought this feature would be really useful since I never remember to check if a website is HTTP or HTTPS before opening it.
While it has great basic safety features, CyberGhost doesn’t have the same security validations as the other VPNs on this list. For example, CyberGhost’s no-logs policy hasn’t been verified by independent audits. The good news is that it is located in Romania (which is outside of the 5, 9, and 14 Eyes alliances) and has never handed over user information to authorities. But to me, an independent audit would give me more reassurance.
If you’re not ready to commit to a long subscription, try it with CyberGhost’s 45-day money-back guarantee — that’s the most generous refund policy on this list. I was able to get my money back in about 5 days with the help of CyberGhost’s customer service chat.
CyberGhost also works on: Netflix, Disney+, Amazon Prime, BBC iPlayer, Hulu, HBO, YouTube TV, ESPN, NBC, and more.
CyberGhost works on: Windows, macOS, Linux, Android, iOS, Chrome, Firefox, Android TV, Amazon Fire Stick & TV, and routers.
June 2021 Update: CyberGhost has dropped prices for a limited time to a crazy $2.25 per month for the 3-year plan (you can save up to 83%)! This is a limited offer so be sure to grab it now before it's gone. See more information on this offer here.
FAQs: Preventing VPN Hacking
Are there VPNs that can’t be hacked?
There’s a tiny risk that any VPN could be hacked, but some are much safer than others. The 2 VPNs on this list have the best security standards in the industry and would take years and millions of dollars to be hacked. They all use the best encryption standards available, have strict no-logging policies, and passed DNS/IP leak protection tests with ease.
Of all the VPNs on this list, my testing showed that ExpressVPN is the most secure. If you’re still unsure about its capabilities, you can even try it risk-free for 30 days to test all its security features for yourself.
Are free VPNs secure?
While there are a few decent free services available, downloading free VPNs can be a huge security risk. Many of these providers implant dangerous malware on your devices. Others record your data to sell to marketers and other unverified third parties in order to make money. I don’t know about you, but I really dislike the idea of my information being stored and shared without my consent.
Even the safest free VPNs have serious performance and some security issues. They have slower speeds, data caps, and annoying (potentially dangerous) ads. It’s much safer to use a quality VPN like ExpressVPN. If you need a free service for just a short time, you can always use it risk-free for 30 days. I also found that its monthly fee is affordable when you sign up for its longer-term subscriptions.
Are there VPNs I should avoid because they’re unsafe?
There are many VPN services that you should avoid because their poor security practices put you at risk. Worse yet, some of the most unsafe services have positive ratings and millions of downloads on app stores, so it can be difficult to figure out which ones to avoid. I recommend reviewing these tips to choose a secure VPN so you don’t get tricked into using an unsafe service. You can also research this list of dangerous VPNs to avoid:
- Opera VPN stores data about your online activity and physical location. They also share this information with third parties to send you targeted ads!
- Hola VPN keeps extensive user logs and works on a peer-to-peer network system, meaning that your online traffic is shared with other subscribers.
- Betternet has millions of downloads in the Google Play Store, but it has been found putting malware on users’ phones and selling the data it collects to anyone who is willing to pay for it (including hackers).
- TouchVPN logs data about your online activities, physical location, and device location for marketing and other purposes.
How can you improve your VPN’s security against hackers?
You can improve your VPN’s security against hackers by using Tor, turning on extra security features, and reviewing the encryption protocol.
Tor is a free browser that keeps your data anonymous on the dark or surface web. Tor was originally created to allow US spies to communicate without being traced. It works by encrypting your data multiple times and transmitting it through servers around the world. Using a VPN before connecting to Tor is one of the best ways to stay totally anonymous online. If you’re interested in using this browser to stay anonymous, you can try ExpressVPN.
Aside from using Tor, you can engage your VPN’s additional security settings. Some VPNs offer ad blockers, malware detection, double-VPN connections, and other features to maximize your security against hackers and other prying eyes.
Additionally, make sure to check your VPN’s encryption protocol configuration. Depending on your device, operating system, and the VPN itself, your provider may enable a particular protocol. I recommend you use protocols like OpenVPN or IKEv2 because they are fast, stable, and extremely secure. If you’re unsure how to configure this, check with the customer support of any of the VPN services recommended in this article — they should respond almost immediately.
Protect Yourself From Hackers With a Secure VPN
Although it is possible that any cybersecurity product could be hacked, that doesn’t mean you should stop using VPNs. Without one, you’re much more likely to experience an attack because you’re an easy target with no online protection.
To stay safe, choose a provider with top-tier security. Remember: the chances of a top service like ExpressVPN being successfully hacked are very low. Plus, you can take advantage of its 30-day money-back guarantee to test its security yourself.