On September 17, 2024, we became aware of a research piece published by a password security company. It claimed that more than 80,000 CyberGhost VPN account credentials were exposed, and said this was likely due to malware. We’ll explain why we’re not concerned by this report, and why you shouldn’t be either.
What Happened?
A blog post, since referenced in Tom’s Guide, claims to have found more than two million leaked passwords from VPN accounts, with CyberGhost VPN as the fourth most-impacted provider. Reportedly, 83.6K CyberGhost account credentials were compromised by means of different malware attacks – the report speculates that these could have ranged from brute force attacks (trial and error guesswork) to “sophisticated” phishing attempts. It doesn’t provide any insight into how it gained this knowledge or how these attacks might affect individual accounts.
While the volume of account details included in the report sounds intimidating, we don’t think you should be overly alarmed by this research. However, we strongly encourage you not to ignore any reminder to change your passwords, audit your privacy settings, and strengthen your online security. We are confident that this issue has not arisen from an issue with our service, which is, as always, secure.
This Alleged Breach Doesn’t Affect CyberGhost VPN
Even if this report is true and CyberGhost credentials were leaked, our VPN was not compromised in any way (and neither was any other provider named in the article). Unfortunately, malware attacks occur and can compromise user credentials – but this doesn’t impact our service. CyberGhost VPN remains a secure service committed to protecting your privacy.
There Was No Responsible Disclosure
As this didn’t impact the service we provide, there was no responsible disclosure. Responsible disclosure is a process that ensures security issues like leaks or bugs are only made public after the impacted company has had time to review their processes and make any necessary fixes. This report was published without prior notification, so if there had been an issue with our service, we wouldn’t have been able to fix it.
How responsible disclosure works: We operate a Bug Bounty program that encourages disclosure of any security issues in advance under responsible disclosure guidelines. Additionally, breaches or vulnerabilities almost always come with a CVSS (Common Vulnerability Scoring System) score attached to measure the severity and scale of the issue. This is a best of both worlds approach where security researchers can claim their “bounty” while also ensuring that users remain safe and secure.
The bottom line is that this isn’t a credible security report: CyberGhost VPN was not contacted about this report ahead of publication, and there is no CVSS score attached. The original report lacks anything resembling a methodology or any means of delivering consumer-level security improvements, so there’s no available evidence that the findings are legitimate or that our users have been affected by any kind of malware by using our services.
How to Recognize Legitimate Research
The internet is full of unverified hack and leak claims, making it hard to feel safe online. You can give yourself better peace of mind by learning to recognize what makes cybersecurity reports legitimate.
Check for Evidence
As well as CVSS scores, legitimate cybersecurity research should include evidence of the vulnerability being reported. Where this isn’t possible, such as when there’s a need to protect sensitive information, reports should at a minimum include methodology that explains how the data was gathered and analyzed.
Look for Ulterior Motives
Consider why the research has been published in the first place. Is the piece written by a competitor who has an interest in making other companies offering similar services look bad? Is it a marketing piece in disguise? Legitimate research is published to further trust in the industry.
Verify the Writer’s Credibility
Make sure the report has been written by someone credible, for example, someone who is named as a cybersecurity expert on the company’s website. While reports online may be published by on-staff writers, most companies ask their in-house experts – such as engineers, testers, infrastructure architects, or product managers – to report major findings for additional credibility.
How to Protect Yourself from Malware Attacks
While we’re not worried by this report, it’s still a great reminder to practice password and cybersecurity hygiene. Here are some tips for keeping your password-protected accounts secure.
- Use strong passwords on all your accounts. Strong passwords are unique, long, and random, making them harder to guess.
- Practice good cyber hygiene. You can help yourself stay safe online by taking simple steps, including installing antivirus software, learning to recognize different types of malware, and learning to identify phishing emails.
- Use a VPN on public Wi-Fi. Open Wi-Fi networks can be convenient, but they’re also susceptible to malware. Using a VPN on public Wi-Fi secures your connection to help prevent hacks.
CyberGhost VPN Values Your Security
CyberGhost VPN is one of the most popular consumer VPNs on the market today. While we applaud and respect responsible disclosures that are made with the intent to improve industry security, unsubstantiated reports like this only serve to harm the industry as a whole.
Leave a comment