* Final Update *
- encrypted salted passwords were compromised, so reset your password now
- names and e-mails were also compromised
- VPN service and billing information were NOT compromised
- Existing customers will get 2 to 5 weeks FREE as compensation
As bad as this situation is I think PureVPN should be applauded for keeping customers well informed and releasing this full break down of the attack in a rapid manner. Regardless this will clearly give some customers pause. Is it better to go with a VPN that has been burned before and done a good job correcting it or one that has never been compromised? Is the lack of an intrusion luck, skill or lack of communicating a compromise? Our review of PureVPN in conjunction with DD-WRT was not stellar, but they do have good integration with Sabai OS. Their service is well liked and widely used by PC and Mac users. It would be a shame if this had more than a passing negative effect on them.
* Update 7 *
PureVPN has sent out another e-mail reinforcing their earlier statements and progress in double checking their systems and determining the extent of the breach.
TL;DR: “The user database breach…has been identified as an isolated breach that compromised Email IDs and names of a subset of our registered users. We repeat no billing information such as Credit Card or other sensitive personal information was compromised.”
This is going to be a short update on the matter.
In wake of the hack attempt we have been continuously testing our systems for any further possible security lapses. It been more than 36 hours now since the incident and we want to reassure our valued users that all systems including the Client area, Billing Systems, Support center as well as all the systems of the VPN service including the VPN servers are functioning 100% well. Although never affected, load on the VPN service is usual and we are thankful to our valued users for their understanding and cooperation.
The user database breach that occurred yesterday, due to a security exploit found in the 3rd party application WHMcs, has been identified as an isolated breach that compromised Email IDs and names of a subset of our registered users. We repeat no billing information such as Credit Card or other sensitive personal information was compromised.
Our conclusive investigation report is near completion and We are just waiting on the involved 3rd party services to confirm a few aspects related with their system. We deeply regret this compromise and apologize with our valued users. We further believe we’ll learn from our mistakes and grow even stronger. Once the investigation report is out, we’ll be announcing compensation for the affected users.
Web Announcement Link: http://www.purevpn.com/blog/
Please follow us on Twitter @purevpn (https://twitter.com/purevpn) to remain updated with latest developments.
Uzair Gadit, Co-founder.
On behalf of The PureVPN Team.
* Update 6 *
Its been pointed out that WHMCS, the CRM software that was the source of the breach, is part of the billing system at PureVPN. Though it appears it only acts as a gateway to Paypal, etc though, so the statement that “we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users billing information” seems reasonable.
* Update 5 *
PureVPN has updated their blog post and sent another e-mail with more information on the breach. Kudos to PureVPN for being so open about what happened and working over the weekend to try to resolve this issue.
Adding up the time zones the security update from their CRM vendor came out Friday morning 3:36 AM Hong Kong time. The fraudulent e-mail was sent Sunday morning Hong Kong time. After that updates have been coming from PureVPN throughout the day and into Sunday night Hong Kong time.
TL;DR: The third party CRM software that PureVPN uses was exploited. Payment information and VPN logs were not affected. The third party has issued an update to correct the vulnerability.
Our VPN service is functioning 100% fine and there is no interruption whatsoever. While we are investigating the cause of the email, we reemphasize that, as we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users billing information. Similarly, service troubleshoot logs (connection attempts, users IPs, etc) are safe and intact as we do not store such logs on site. Furthermore, as we vouch for privacy, security and anonymity on the internet, hence we do not store actual VPN service usage logs.
Preliminary reports suggest that we are hit with a zero day exploit, found in WHMcs; 3rd party CRM that we use on our website: http://blog.whmcs.com/?t=79427
We are able to confirm that the breach is limited to a subset of registered users Email IDs and names.
At PureVPN, in recent months, we have experienced phenomenal growth and we are pretty excited with what we have been working on in the back office. Clearly, we are getting more and more popular crossing new heights too fast for some to worry and such attacks are not unexpected with popular services these days. Such incidents add to our resolve to continuously improve our service for our users.
Please follow us on @purevpn to keep up to date with latest developments
The linked post from WHMCS reads in part:
WHMCS has released new patches for the 5.2 and 5.1 minor releases. These updates provide targeted changes to address security concerns with the WHMCS product. You are highly encouraged to update immediately…
The resolved security issue was publicly disclosed by “localhost” on October 3rd, 2013.
The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information.
Updated: 10/3/2013 – 2:46PM CST [10/3/2013 19:46 GMT]
* Update 4 at 5:24 GMT *
The affiliate area is off-line as well. (Disclosure: SecureRouter.org is a purevpn affiliate.)
* Update 3 at 5:23 GMT *
* Update 2 at 5:14 GMT*
(Note: my correct first name was listed opposed to “customer” in the fraudulent e-mail and the e-mail came through mailchimp)
* Update *
It appears that someone has compromised PureVPN’s user e-mail database or e-mail server and sent this e-mail to discredit the service. Looking at the e-mail header the message appears to have come through:
Received: from o1.email.purevpn.com (o1.email.purevpn.com [220.127.116.11])
This is consistent with previous billing related e-mails I have gotten from them. Advertising e-mails have been through MailChimp.
2, 3 and 55 minutes ago:
10/6/2013 2:27 GMT:
I’m sorry to inform you that due to an incident we had to close your account permanently. We are no longer able to run an anonymization service due to legal issues we are facing.We had to handover all customer’s information to the authorities unfortunately. They might contact you if they need any details about the case they are working on. The following information was handed over: your name, billing address and phone number provided during purchase and any documents we had on file (for example scan of your ID or driver’s license if you have provided these to our billing department).
We are also sorry we are not able to refund you, however if you wish your money back, please open a dispute on PayPal or file a chargeback with your credit card company. This is the only way we can refund you as our bank account is frozen during this investigation. We recommend you to do this as soon as possible as we can’t guarantee all customers will get their money back.
We apologize once more this had to happen.