What the PureVPN Hack Exposed

Last weekend we received an email claiming that PureVPN was shutting down due to legal issues.  A short time later we were informed by PureVPN that the original message was a fake.  The question remained as to how someone got our member info including email address for the fake message.  As it turns out PureVPN was the victim of a hack caused by a zero day exploit in their third-party WHMcs application.

PureVPN has kept their users informed via email and their blog.  The hack exposed a subset of their customers names and email addresses.  As one of the members affected I’m concerned over their system being breached but relieved that more important data like billing and credit card information was not exposed.

Here’s a copy of the fake email we received on October 5th:

Dear customer,

I’m sorry to inform you that due to an incident we had to close your account permanently. We are no longer able to run an anonymization service due to legal issues we are facing.

We had to handover all customer’s information to the authorities unfortunately. They might contact you if they need any details about the case they are working on. The following information was handed over: your name, billing address and phone number provided during purchase and any documents we had on file (for example scan of your ID or driver’s license if you have provided these to our billing department).

We are also sorry we are not able to refund you, however if you wish your money back, please open a dispute on PayPal or file a chargeback with your credit card company. This is the only way we can refund you as our bank account is frozen during this investigation. We recommend you to do this as soon as possible as we can’t guarantee all customers will get their money back.

We apologize once more this had to happen.

Yours sincerely,
Uzair Gadit
PureVPN founder

Soon after the fake email we received this message from PureVPN:

Hope you are doing well and enjoying PureVPN’s services.

This morning some of our users have received a fake email and we are sending this note as a clarification. We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor do we store our user’s personal data to share with anyone.

In terms of service, features, level of support and speed of VPN network we are indeed stronger than ever and our recent growth rate has been phenomenal. Lots of additional features have been planned and we are pretty excited with what we have been working on in the back office.

Status of the VPN service:
Our VPN service is working 100% OK. You may continue using our VPN service which is secure to the highest possible levels of encryption.

Status of Billing Portal / Client area:
While we are investigating the issue, we’ve temporarily disabled everyone from logging into the billing portal / client area.

We’ll shortly be communicating further updates.

Uzair Gadit, Co-founder.
On behalf of The PureVPN Team.

Later on Sunday we received an update from the PureVPN team:

We are writing this email to give you ‘Second Major Update’ on PureVPN Fake Email Issue.

Our VPN service is functioning 100% fine and there is no interruption whatsoever. While we are investigating the cause of the email, we reemphasize that, as we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users billing information. Similarly, service troubleshoot logs (connection attempts, users IPs, etc) are safe and intact as we do not store such logs on site. Furthermore, as we vouch for privacy, security and anonymity on the internet, hence we do not store actual VPN service usage logs.

Preliminary reports suggest that we are hit with a zero day exploit, found in WHMcs; 3rd party CRM that we use on our website: http://blog.whmcs.com/?t=79427

We are able to confirm that the breach is limited to a subset of registered users Email IDs and names.

At PureVPN, in recent months, we have experienced phenomenal growth and we are pretty excited with what we have been working on in the back office. Clearly, we are getting more and more popular crossing new heights too fast for some to worry and such attacks are not unexpected with popular services these days. Such incidents add to our resolve to continuously improve our service for our users.

Web Announcement Link: http://www.purevpn.com/blog/fake-email-to-clients-update-1/

Please follow us on Twitter @purevpn to remain updated with latest developments.

Thank you for your patience, understanding and support!

Uzair Gadit, Co-founder.
On behalf of The PureVPN Team.

Followed by another update on Monday:

This is going to be a short update on the matter.

In wake of the hack attempt we have been continuously testing our systems for any further possible security lapses. It been more than 36 hours now since the incident and we want to reassure our valued users that all systems including the Client area, Billing Systems, Support center as well as all the systems of the VPN service including the VPN servers are functioning 100% well. Although never affected, load on the VPN service is usual and we are thankful to our valued users for their understanding and cooperation.

The user database breach that occurred yesterday, due to a security exploit found in the 3rd party application WHMcs, has been identified as an isolated breach that compromised Email IDs and names of a subset of our registered users. We repeat no billing information such as Credit Card or other sensitive personal information was compromised.

Our conclusive investigation report is near completion and We are just waiting on the involved 3rd party services to confirm a few aspects related with their system. We deeply regret this compromise and apologize with our valued users. We further believe we’ll learn from our mistakes and grow even stronger. Once the investigation report is out, we’ll be announcing compensation for the affected users.

Web Announcement Link: http://www.purevpn.com/blog/fake-email-to-clients-update-1/

Please follow us on Twitter @purevpn (https://twitter.com/purevpn) to remain updated with latest developments.

Best Regards,

Uzair Gadit, Co-founder.
On behalf of The PureVPN Team.

This message was shared as the investigation concluded on October 13th:

Dear PureVPN Clients,

We would like to start by accepting complete responsibility for the unfortunate incident that happened on October 6th, 2013. As one of the biggest VPN provider, PureVPN combats all sorts of malicious attacks and cyber crimes in its’ various forms. Our hard working staff is at work 24 hours a day, 365 days a year with a mission to defeat what’s bad for millions of innocent internet users world over. Unfortunately, there are times when the bad, thanks to the zero day exploits, gains some upper hand to be able to momentarily disrupt those hard efforts. Hard reality is that, this war between the good and the bad is never ending. Our friends at Google, Apple, Microsoft, Adobe, Facebook, Twitter and others despite having best resources at their disposal all face such short lived defeats but only to grow stronger. Now it’s our time to grow stronger.

Our engineers and the security team have worked round the clock, extensively auditing all systems, during the past 8 days to bring this conclusive report out today to our valued users. Although the fix for what was obvious was applied within a few hours, we kept on investigating for the root cause which we hereby present to our valued users.

On 4th Oct 2013 the hacker, using a Romanian IP address was able to exploit a bug in WHMcs, the 3rd party billing and ticketing solution that we use on our website, and ran several SQL injection queries to compromise a few tables including “tblclients”, “tbladmins” and “tblconfiguration”. The hacker obtained users info (mainly name and email) including hashed passwords (i-e not in a readable form but in an irreversible encrypted form) but obviously couldn’t compromise the sensitive billing information (Credit Card or PayPal information) as it’s NOT stored on the on-site database. User passwords are also stored using MD5 + (salt) encryption which is essentially irreversible. Although not an imminent threat we encourage our users to reset their passwords as a precautionary measure.

The hacker, knowing that (s)he got a short time window, was not able to compromise the complete users database rather when (s)he reached approx 70,000 clients (s)he moved on to the mass mail stage. Using the same exploit the hacker was able to compromise our SendGrid account access information, the 3rd party SMTP we use for transactional emails, which is stored in WHMcs in the same database (tblconfiguration). After illegally obtaining Email IDs and our SMTP account credentials, the hacker accessed our SendGrid account, imported the Email IDs, created a newsletter and sent the fraudulent mass mail on 6th Oct 2013 at 10:26 HKT (GMT+8).

Further and thorough audit on our VPN systems has confirmed that there was absolutely no breach on the VPN network and throughout the incident our VPN service continued to operate securely. No technical usage data was compromised and since we do not store users activity logs, our users are hereby assured of full anonymity and security throughout.

We have learned several of our mistakes and have started taking measures immediately to prevent this from happening again in the future. As a token of our continued commitment to our clients, we are offering compensation. Details of the compensation are as follows:

  • Affected clients who have subscribed for Annual subscription will get 5 weeks of free service.
  • Affected clients who have subscribed for Semi-Annual subscription will get 3 weeks of free service.
  • Affected clients who have subscribed for Monthly subscription will get 2 weeks of free service.

If you are an affected user and haven’t received the compensation email, kindly create a support ticket here after logging into your Client Area.

Again, we accept complete responsibility for what has happened but we are determined to continue our fight against the bad. The war will go on.


Uzair Gadit, Co-Founder,

On behalf of The PureVPN Team.

We appreciate the transparency during the investigation and wish the PureVPN team the best moving forward.  If you’re a member and have concerns over your account or personal information please contact the PureVPN support team.