More than 2.1 million stolen VPN passwords were compromised by malware in the past year, highlighting a growing risk of unauthorized access to secure networks, according to a Specops Software report.
These passwords, chosen by end users for VPN access, present significant vulnerabilities, allowing hackers to infiltrate corporate systems.
The report noted that despite the strong security of popular VPN services such as ProtonVPN, ExpressVPN, and NordVPN, more than one million ProtonVPN users had their credentials stolen by malware.
“Attackers are increasingly bypassing direct attacks on VPNs, targeting end users instead,” the report said.
Cybercriminals exploit poor password practices, phishing attacks and malware to obtain VPN login details. Sophisticated phishing schemes mimic VPN login pages, while keyloggers capture credentials on infected devices.
The research also revealed the most compromised VPN passwords, with predictable patterns like ‘12345’, ‘qwerty’ and ‘password’ topping the list.
Even mild variations like “P@ssw0rd” show a poor effort to meet the complexity requirements, offering little real protection.
Service-related terms like “protonvpn” and “dyadroid1” also appeared frequently, indicating that some users are setting their VPN name as their password.
The findings highlight the ongoing problem of bad password practices, which continue to expose even secure VPN services to potential breaches through easy-to-guess credentials.
Patrick Tiquet, vice president of security and architecture at Keeper Security, explained that the rise of VPNs in the 1990s and their increased use during the COVID-19 pandemic has made them essential tools for remote access.
“However, the discovery of millions of stolen VPN passwords demonstrates a dangerous example of their limitations,” he said.
While VPNs encrypt traffic and mask IP addresses, they cannot prevent attacks such as malware infections or phishing.
Tiquet noted that this vulnerability underscores that VPNs are not a panacea for online security, and companies must evolve beyond relying solely on VPNs to incorporate additional defenses such as remote browser isolation (RBI) for to protect themselves from such threats.
He said that to prevent cyber attacks stemming from the theft of VPN credentials, organizations should implement multi-factor authentication (MFA) and enforce strict password hygiene.
“Passwords should be at least 16 characters long and include a mix of upper and lower case letters, numbers and special characters,” he added. “Avoid using easy-to-guess information like birthdays or common words.”
Push without password
Traditional VPN technology – especially when it relies on password-based authentication, presents significant security risks, including susceptibility to password theft, brute-force attacks, and malware exploitation.
In contrast, alternatives such as passwordless, certificate-based authentication and zero-trust network access (ZTNA) models provide superior security by eliminating shared secrets and reducing the potential attack surface, thereby substantially reducing the risks inherent in conventional VPNs .
Jason Soroko, senior fellow at Sectigo, warned that while password hygiene and multifactor authentication provide some mitigation, they still rely on vulnerable shared secrets.
“The transition to passwordless solutions such as certificate-based authentication provides a superior defense against credential theft,” he said.
Soroko added Organizations can detect compromised VPN credentials by monitoring unusual login activity, using breach detection services, and using security tools that alert on misuse of credentials, although these methods are mostly reactive.
Tiquet said auditing current VPN access logs for unusual activity is crucial.
“Businesses should also segment their networks to minimize the potential for damage from a compromised VPN account and apply any available security patches to VPN software,” he said.
#million #stolen #VPN #passwords #discovered
