In years past, when we traveled, and I was using any public wifi, I'd use a VPN for extra security against hackers 'listening' in to my internet connection. Although all VPN's promise security and no logging of confidential info on a user of the VPN, one must take these promises with a huge grain of salt, as the following story so well illustrates. I hadn't used or ever heard of Lime VPN, and thank goodness for that.

I just took a look at the Lime VPN website, and they clearly state 'no logging of info'. Hmmm? What, then, are the hackers of Lime VPN trying to sell for $13 million, do you suppose?.

Jim Hamm

A hacker just took down LimeVPN’s website, stole over 69,400 sensitive user logs, and is looking to sell them for a $400 Bitcoin payment on a hacker forum. While breaches like this are increasingly commonplace, the real news is how the hacker got the logs since LimeVPN says it is a no-log service.

LimeVPN confirmed that its backup server is what got hacked. PrivacySharks, who initially reported the breach, talked with the alleged hacker who then confirmed that they were able to gain access to the site and shut it down through a security hole.

That backup server contained a database filled with sensitive user account data like email addresses, passwords, and payment information from its WHMCS billing system. The hacker also claims to be in possession of every user’s private key, meaning they are potentially able to decrypt any traffic passing through the VPN service. And now, that hacker is attempting to sell this information to the highest bidder on a renowned hacker forum. They are asking for $400 Bitcoin, which is roughly $13.4 million.

After touting on its website that it didn’t keep logs, LimeVPN is certainly under suspicion now since the hacker was able to jump in and scrape its entire database. Its customers were under the impression that none of their information or activity would be stored on the company’s server and are now the ones having to pay for LimeVPN doing so anyway.

Unfortunately, there isn’t much LimeVPN users can do at this point to stop the breach. However, just to be safe, we recommend users of the service stop using it immediately, take action to protect payment information (like order a new credit card), change the passwords of any sites visited while using the VPN, and watch out for potential identity theft.

The breach serves as a reminder that the vast majority of VPNs are not trustworthy. Most lure customers in with cheap prices and hollow promises of security and privacy without actually being able to back them up. If you’re looking for a (new) VPN service we recommend taking a look at our best VPN services, especially our best overall pick, ExpressPVN. This service regularly undergoes independent security audits to back up its no-log policy.