Can VPNs Steal Your Passwords Or Personal Data

Share or tell us what you think in the comments!

It is known that a VPN is a great tool to secure personal data and passwords from hackers and third parties. We put our trust that a VPN service will increase the privacy of our browsing experience and that our login credentials will stay secure and unseen. However, we do not completely turn the blind eye on the private information we pass to a VPN and we are aware that it might get stolen. But can a VPN really take your passwords and see all the private data?

In theory, all your personal data might be seen once it is routed via a server that is managed by the VPN company. But not all private information can be viewed, it highly depends on the security protocol used during the connection to a website. However, it is unlikely that a reliable VPN would spy on your private data.

It is true that your private information can be seen by a VPN provider, but that is not an easy task to do even when you have control over the internet traffic. However, there are a few ways a VPN can actually steal this private data. There is an easy way and a more advanced way to do this depending on the security configurations of the website you are trying to reach.

Back in the days, an unsecured protocol called HTTP (HyperText Transfer Protocol) was used to connect to the websites. This protocol would exchange messages and commands between the browser and the webserver so they could communicate. This protocol is still a base of many connections that happen over the internet, however, it is not secure. All the messages exchanged with HTTP protocol are sent in plain, human-readable text hence the information can be easily seen and stolen. To tackle this issue a new version of this protocol was developed called HTTPS (HyperText Transfer Protocol Secure). This protocol is very secure and the traffic is encrypted that no one who intercepts it can see the actual data sent. In modern browsers, a secured or unsecured connection is marked by a lock symbol once you visit a website like this:

Warning of a not secure HTTP connection in FireFox browser
Warning In Chrome Browser of Not Secure HTTP Connection
Warning of a not secure HTTP connection in Chrome browser
Warning In FireFox Browser of Secure HTTPS Connection
Indication of secure HTTPS connection in FireFox browser
Indication In Chrome Browser of Secure HTTPS Connection
Indication of secure HTTPS connection in Chrome browser

Nowadays there are still websites that use HTTP instead of HTTPS. All the data and personal information sent over the unsecured HTTP connection can be intercepted and seen by a VPN provider. VPN encrypts everything in a secured connection tunnel, but that means it can also decrypt and read the data as well. Seeing private information that easily can only happen on HTTP connection, with HTTPS it’s a different story.

There’s a different story when an HTTPS connection is made using a VPN. This connection between your browser and the website is secure and the trust is established using certificates. A VPN encryption is considered additional encryption on top of already encrypted HTTPS traffic, and here’s a principal scheme of how does it work:

How VPN Connection Works With HTTPS Protocol
How VPN works with HTTPS connection

It is this double encryption that actually keeps your data private from ISPs and hackers. Even though the HTTPS connection is highly secure on its own, but it is possible for a VPN provider to crack it by installing their own certificates on your device.

Installing fake certificates on your device would often require administrative privileges and one way a VPN provider could do it is by offering to install you a compromised and malicious VPN application. Fake certificates would allow them to intercept and decrypt HTTPS traffic for inspection and re-encrypt it before sending it onwards. Such a scheme is used by untrustworthy shady VPNs that are either free or made in China. A VPN that would intercept and monitor private HTTPS traffic would likely get caught quickly and would run out of business, therefore any reputable and well-known VPN would never do that.

PayPal or a bank as financial institutions have to comply with high-security regulations, therefore they use HTTPS protocol whenever trying to login to your account. It is very hard to compromise such security for a VPN provider, therefore it can not see any of your financial login credentials.

The only way a VPN could steal your password is when a website uses an unsecured HTTP connection. This way your password would be seen in plain text once you try to log in. Passwords are mostly saved locally on your browser and just typing into a field would not expose it to a VPN, so it can not steal your it this way.

Many free VPN and Proxy providers do gather and steal your data. They do that because running a VPN service for free is not a sustainable business model. They grab, take and collect personal data that is later sold to third parties and advertiser networks. Free VPNs are not that trustworthy and are not recommended to use for privacy.

It is well known that China has implemented content censorship and monitor all internet activities. Trustworthy and non-China based VPNs are banned there, instead, only China-made VPNs are allowed to be used. This is because just like the free ones, Chinese VPNs most likely to monitor and collect data of their users and either sell it to advertisers or report to the government, therefore, China-based VPNs are not recommended.

Putting trust in a VPN provider that would not steal any passwords or monitor your personal information has to be a serious choice. A reputable VPN that would protect your login credentials and won’t collect your information must have al least these components:

  • Well known and long time in business
  • Has a strict and proven no-log policy
  • Based out of surveillance alliances (non-US based)

Here are some reputable VPNs that meet those criteria and are well known in the VPN market:

NordVPN logo
  • 5200+ global servers in 59+ countries
  • CyberSec malware and ad-blocking protection
  • Next-generation encryption with double VPN servers
  • Obfuscation technology that masks VPN traffic
  • Strict no-logs policy
  • Works with Netflix and good for streaming
  • Lightning fast with P2P support
  • 30-day money-back guarantee
  • ExpressVPN Logo Horizontal
  • 160+ locations and 3000+ servers
  • Strict No-Log policy
  • Unlimited streaming (Netflix, Hulu, BBC iPlayer)
  • Strong military-grade AES 256-bit key encryption
  • Kill Switch, Split tunneling and RAM-disk servers
  • 30-day money-back guarantee
  • Windows, MacOS, iOS, Android and Linux support
  • Fast speeds and reliable connections
  • Surfshark VPN logo horizontal
  • 1700+ global servers in 61+ countries
  • CleanWeb ad-blocking feature
  • Secure and strong encryption with OpenVPN
  • Whitelister, Multi-hop VPN and kill switch
  • No-logs policy
  • Works with Netflix and good for streaming
  • Great speeds
  • 30-day money-back guarantee
  • Using a trustworthy VPN your private information and passwords are safe, however, it is still theoretically possible for a VPN provider to see your data. One way is to intercept and monitor unsecured HTTP connection and the other, a difficult way, is by installing fake certificates on your device. The latter technique is used mainly by free and shady VPN services that steal and sell your data. However, there are a few reputable VPN providers that have a strict no-log policy and existing for a long time in VPN business. These VPNs are the best to use when you want to keep your browsing activities really private.


    Share or tell us what you think in the comments!

    Add a Comment

    Your email address will not be published. Required fields are marked *