Over the weekend, customers of Hong Kong-based VPN service PureVPN were taken aback by an email that was seemingly sent by the company’s founder Uzair Gadit, saying that their accounts were closed “due to an incident.”
“We are no longer able to run an anonymization service due to legal issues we are facing,” it said. “We had to handover all customer’s information to the authorities unfortunately. They might contact you if they need any details about the case they are working on. The following information was handed over: your name, billing address and phone number provided during purchase and any documents we had on file (for example scan of your ID or driver’s license if you have provided these to our billing department).”
“We are also sorry we are not able to refund you, however if you wish your money back, please open a dispute on PayPal or file a chargeback with your credit card company. This is the only way we can refund you as our bank account is frozen during this investigation. We recommend you to do this as soon as possible as we can’t guarantee all customers will get their money back. We apologize once more this had to happen,” it concluded.
The company behind the service reacted immediately – they took to Twitter to reassure their customers that the email was fake, and direct them to a blog post explaining the situation.
“We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor do we store our user’s personal data to share with anyone,” they assured initially. “Our VPN service is working 100% OK. You may continue using our VPN service which is secure to the highest possible levels of encryption. While we are investigating the issue, we’ve temporarily disabled everyone from logging into the billing portal / client area.”
In a second, later update they explained that users’ credit card and / or PayPal and billing information was not compromised, as they do not store it in their on-site databases. They also made sure to note that service troubleshoot logs (connection attempts, users IPs) and VPN service usage logs are also safe for the same reason.
“We are able to confirm that the breach is limited to a subset of registered users Email IDs and names,” they said, and added that preliminary reports suggest that the breach was executed by taking advantage of a recently patched zero day SQL injection vulnerability in WHMcs, the third party CRM they use on their website.
“The vulnerability allows an attacker, who has valid login to the installed product, to craft a SQL Injection Attack via a specific URL query parameter against any product page that updates database information,” it is explained.
“Clearly, we are getting more and more popular crossing new heights too fast for some to worry and such attacks are not unexpected with popular services these days,” the company added, and promised new information as it becomes available.