Can VPNs Steal Your Passwords Or Personal Data?

A VPN is a great tool for securing personal data and passwords from hackers or third parties. But, you should also be aware that your valuable data might get stolen if you use an improper service. With that said, can a VPN itself steal your passwords? And, can it see all the private data that goes through its tunnel?

A VPN can infect your device with malware, steal your private information, or even sell your valuable data to the highest-bidding third party. There have been numerous examples of many VPNs abusing their users’ trust for extra profit.

Of course, this isn’t to say that every VPN does so. But, these are all massive reasons you should be careful and make sure you pick a trusted VPN that protects you. If you’re worried about how a VPN can steal your data, read on to learn how this can occur and what you can do to prevent it from happening to you.

Can a VPN See Your Personal Data?

In theory, all your data might be seen by the VPN provider. But not all private information can be viewed. The data that a VPN can see depends on the security protocol used to connect to a website. It is unlikely that a reliable and trusted VPN would spy on your private data.

How Can a VPN Steal Your Private Data?

Your private information can indeed be seen by a VPN provider. But it is not an easy task to do even when it has control over internet traffic. There are a few ways a VPN can steal this private data. Here’s how:

1. Intercepting HTTP connection to a website
2. Forging or faking certificates
3. Intercepting HTTP connection

Back in the day, an insecure HTTP protocol was used to connect to websites. This protocol would exchange plain-text messages between the browser and the server. HTTP is still the base of many connections that happen over the internet.

All HTTP messages are human-readable so that data can be easily stolen. To tackle this issue, a new protocol version was developed called HTTPS (S stands for Secure). All traffic using HTTPS is encrypted so that no one who intercepts it can see the actual data. In all modern browsers, such a secure connection is marked by a lock symbol once you visit a website:

So, can the VPN app steal your data? Nowadays, there are still websites that use the insecure version instead of HTTPS. All the passwords and personal information sent over HTTP can be intercepted and seen by a VPN. But, if a connection is HTTPS, even a VPN app can not decrypt it. For that, an advanced hacking method called certificate forging can be used.

Forging or Faking Certificates

An HTTPS connection to the websites is encrypted using certificates. A VPN encryption is an extra encryption layer on top of already secured HTTPS traffic. To better illustrate this, here’s a visual principal scheme of how it works:

How VPN works with HTTPS connection

This double encryption is what keeps your data private from ISPs and hackers. Even though the HTTPS connection is very secure, a VPN provider can crack it. This can be done by installing their self-signed certificates on your device.

Installing fake certificates on your device would often need administrative privileges. One way a VPN provider could do it is by offering to install a compromised and malicious VPN app. Fake certificates would enable a VPN to intercept and decrypt HTTPS traffic. They would be able to inspect, see your data, and forward it to a website without you knowing it.

Such a method is used by untrustworthy and shady VPNs that are either free or made in China. A VPN that would use a certificate forging method would most likely get caught pretty quickly. Moreover, a reputable and well-known VPN would never do that, so your passwords are safe.

Can VPN See Your Banking Login Credentials?

It is very hard to compromise the bank’s security for a VPN provider. So a VPN can not see any of your banking login credentials. Finance institutions and services like PayPal and banks must comply with high-security regulations. So, they always use secure connections whenever trying to log in to your account.

Can VPN Steal The Passwords That You Type?

The only way a VPN could steal your password is when a website uses an unsecured HTTP connection. This way, your password can be seen in plain text once you click a button and try to log in. Typing a password into a field would not expose it to a VPN, so it can not be stolen this way.

This is because a VPN cannot actually see your keystrokes. For it to do so, it would first have to infect your device with malware without your antivirus noticing it. So, if you’re wondering, “Can a VPN steal passwords”, the answer is that it depends. 

If a malicious VPN manages to get you to input information on a site with unsecured protection or install malware on your device, then yes. Otherwise, you’ll be safe, as the site’s secure encryption will safeguard your password, even from the VPN.

Free VPNs Steal and Sell Your Data

Many free VPN and proxy providers do gather and steal your data. They do that because running a VPN service for free is not a sustainable business model. They collect personal information that is later sold to third parties and advertisers. Free VPNs are not that trustworthy and are not recommended for use for privacy.

An additional type of VPN service that you should avoid is the one that is made in China. It’s well known that China has heavy content censorship practices and tracks all Internet activities. Trustworthy and non-China-based VPNs are banned there, and only government-approved VPNs are allowed. The reason for this is simple — Chinese VPNs track and collect data from their users. 

History of VPNs Stealing Users’ Data

After discussing how and why some services might steal the personal data of their users, let’s move to more concrete examples that happened in previous years. Here’s a brief history of some VPNs stealing users’ data:

Hola VPN

In 2016, Hola was one of the most popular free VPN services, with over 100 million users. This was all before the service was busted for being untrustworthy and potentially very dangerous for its users.

Hola’s privacy policy is one of the most intrusive ones to date. This VPN logged tons of personally identifiable information on its users without their knowledge or consent. It stored users’ IP, email, the websites they visited, and much more. For those who logged into Hola through social media, the logged information could also include their pictures, real address, or anything they might have shared on social media.

To add to all of this, Hola VPN was proven to hijack the Internet connection of its users, undermining their privacy. It used botnets and who knows what else at the expense of the resources of the users’ devices.

Betternet

Often listed as one of the most disappointing VPNs nowadays, Betternet has gained this label as it was a promising service a few years back. While it hasn’t been caught red-handed in such dangerous activities as Hola VPN, it has still been found to be one of the riskiest VPNs to use.

For starters, Betternet has shared data on its users with third parties before. Not only that but its apps are heavily infected with malware. More specifically, Betternet’s Android app is one of the most malware-infected VPNs. All of this is enough to convince anyone to avoid using this service.

Touch VPN

Touch VPN is another massively popular VPN that surprisingly enjoys a great standing on the Google Play Store, with a 4.3 rating from over 800,000 reviews. However, if you do some research, you can find that Touch VPN has a shockingly intrusive privacy policy.

It logs a long list of identifiable information on you and automatically sets encryption to PPTP. It’s also based in the US and suffers from serious leaks. This is a worrying combination and should be sufficient reasoning for you to ignore Touch VPN.

Psiphon VPN

In 2018, a malware framework with immense surveillance capabilities was found in Psiphon VPN’s installation files. While this was only found on Psiphon’s Android installation files, it’s worrying that the Android app is the most popular Psiphon VPN app, with over a hundred million downloads. 

The concealed malware had the ability to manipulate users’ devices to log inbound text and messages, collect GPS coordinates, and steal loads of other valuable user data.

SuperVPN

SuperVPN is a reasonably capable VPN service that manages to unblock a lot of geo-restricted sites. However, this doesn’t make up for the colossal downside of featuring heavily malware-infected apps.

In 2017, researchers found malware in its apps that allowed SuperVPN to act as a honeypot for cyber attackers and web snoopers. It allowed hackers to steal sensitive user data such as personal credentials and even credit card information.

Which VPNs are Trustworthy?

It’s always best to pick the one that has an audited and proven No-Logs policy. Besides that, here’s what makes a VPN trustworthy:

• Well-known name and long reputation in the business
• Strict and proven no-log policy
• Based in a country out of surveillance alliances
• Advanced privacy protection features
• Reliable customer staff

Three Most Trusted VPNs

1. NordVPN

NordVPN is arguably the best VPN in the industry and the most trusted VPN on the market. It has an impeccable reputation and ticks all of the boxes you would look for in a trustworthy VPN. It’s based in Panama, is regularly audited, and doesn’t keep any logs on its users. What’s more, you can even pay in cryptocurrency to stay anonymous when signing up with NordVPN.

This VPN offers over 5,500 servers in 59 countries. Nearly all of its servers support the service’s NordLynx protocol. This WireGuard-based protocol delivers uncompromising privacy and connection speeds up to two times faster than what other protocols can muster. 

Many of NordVPN’s servers support features like obfuscation and Double VPN, which provide you with added privacy protection. You can count on features like split tunneling, kill switch, and full leak protection that will ensure your data is well locked up. 

NordVPN boasts a handy Dark Web Monitor that immediately notifies you in case any of your private credentials get leaked on the dark web. It also allows you to set up multi-factor authentication to secure your apps.

2. ExpressVPN

ExpressVPN is one of the safest and most trustworthy VPNs. It has maintained a spotless reputation for well over a decade since it launched back in 2009.  The service is based in the British Virgin Islands. This is an overseas territory with its own privacy laws and is not a part of any international surveillance organization. 

This trusted VPN service has thousands of servers spread across 94 countries. Like our previous pick, ExpressVPN only uses RAM-based servers. Moreover, it employs TrustedServer technology, which ensures data is wiped on every reboot and that servers don’t write any information on hard drives.

ExpressVPN has developed a proprietary protocol called Lightway. This transparent protocol is open-source and available for anyone to inspect. With a kill switch, split tunneling, and private DNS on every server, ExpressVPN delivers always-on protection that doesn’t skip a beat.

3. VyprVPN

VyprVPN has over 700 servers in more than 70 locations worldwide. In total, this VPN service has over 300,000 available IP addresses in its library. It includes DNS leak protection, IP protection, and WebRTC leak protection. VyprVPN also possesses advanced features like split tunneling and a kill switch.

Another commendable aspect of this service is that VyprVPN runs everything in-house. It heavily emphasizes the fact that no third parties are involved in the process of running its business. This means that only VyprVPN oversees its servers and hardware. And, when you consider that VyprVPN doesn’t log any personally identifiable information, this ensures flawless protection of your valuable data. 

To top everything off, VyprVPN is based in Switzerland, a country known for its dedication to privacy. The only noticeable downside of VyprVPN is its steep monthly subscription price. So, if you want top-notch privacy, VyprVPN delivers it at a reasonably high price.

Conclusion

Choosing an unreliable and unproven VPN can have devastating consequences on your online privacy. This is why it’s important to carefully pick the service you want to use. 

With a trustworthy VPN, you can rest assured that your private information and passwords are safe at all times. Luckily, there are a few reputable VPN providers that have a strict no-log policy and a great reputation. 

If you want to keep your browsing activities private, we advise you to stick with one of our top three recommendations. They don’t log any of your activity data nor have ever stolen any user information, so they are well capable of keeping all of your private information safe and protected.

Personal Data and VPNs FAQs

Should I use a free VPN to protect my data?

A general rule of thumb is that you shouldn’t use a free VPN if you want to keep your passwords and data safe. Free VPNs are popping up online regularly, and there’s almost no way to check a new provider’s history or reputation. They might contain malware, log and sell your personal data, and more.

Can a VPN track my online activity?

Yes, a VPN service can log and track your online activity. This is something mostly free VPNs use, although certain paid VPNs aren’t strangers to the practice. So, it’s crucial to understand the VPN’s privacy policy and see what it does and doesn’t collect. Ideally, you should use a VPN with a no-logs policy.

What data can a VPN steal?

A malicious VPN can steal a worrying amount of data. The list of information that a VPN can steal includes your password, your banking and credit card details, your real name, and your address. This is more than enough data to cause you financial damage or even get you in trouble with authorities.

References:

• Don’t pass on password protection
• Password Best Practices