A VPN can steal your passwords if malicious code or malware is installed into the applications you download and install from a VPN provider.
Having worked in a network security team for several years, I have tested hundreds of VPNs and have never had any of my passwords stolen.
That’s not to say it is impossible, but big-name VPNs like ExpressVPN, NordVPN, and Surfshark have established their reputation as trusted providers.
If you are concerned about your passwords being visible to your VPN provider and how it may be possible for your passwords to be compromised, keep reading.
A Closer Look At VPN Password Theft
Check out some of the burning questions people like me have asked about our passwords’ safety while using a VPN.
- How VPN Providers Can Steal Your Passwords?
- Can VPNs Steal Other Data Than Passwords?
- Dangerous VPNs; What To Watch Out For?
- Should You Trust A Free VPN?
- Can A VPN Track Your Online Activity?
- Here Are Some of The Safest VPN Providers
How VPN Providers Can Steal Your Passwords?
Rogue VPN providers rely on you accessing websites with insecure encryption protocols to steal your passwords.
Websites that use HTTP instead of HTTPS encryption make it straightforward for VPN administrators to steal passwords and other sensitive data.
There are several other means of password theft occurring, which I have outlined below.
Insecure HTTP requests
HTTP connections give the VPN visibility of your passwords and other data submitted during your web session on the insecure site.
For example, if you used a VPN and logged on to an internet banking website that did not use HTTPS encryption, your username and password could both be visible to your VPN administrator.
Installing Self-Signed Certificates
When you visit a website that uses HTTPS encryption, the connection is secured with an SSL (Secure Socket Layer) certificate. You can add an extra layer of encryption using a VPN.
Although an HTTPS connection is secure, an untrusted VPN provider that installs a self-signed certificate on your device can bypass this encryption.
Installing a self-signed certificate often requires permission from the device admin, but malicious VPN apps riddled with malware that are installed on your device could potentially bypass this.
If a VPN installed a self-signed certificate on your device, it would allow it to bypass HTTPS encryption to see all of the data you previously thought was encrypted.
Most reputable VPNs have established reputations for being safe, whereas free providers may attempt to steal your data through the above means.
VPNs Can Use a Fake DNS
A DNS (Domain Name Service) translates a web address into a four-digit number, for example, the DNS record 192.0. 2.44 identifies Amazon.com.
In other words, any user that types in amazon.com
When using a VPN, traffic is routed differently and operates its own DNS service. Most reputable VPNs use an authentic DNS service, while a VPN that fakes DNS records will use a different four-digit octet to transfer the user to a different website to where they were intended to go.
The website may even look legit, but behind it is malicious code ready to capture personal information.
Check out this phishing scam circulating in the UK where customers waiting on Royal Mail parcels are sent an SMS stating that there is a small fee to cover the delivery of their parcel. The link in the SMS looks authentic, but upon clicking, it takes the user to a fake website that’s identical to Royal Mail.
Users are requested to enter their credit card info to pay the parcel surcharge, and guess what? A hacker then has their credit card details to use as they wish.
VPN Browser Extensions Can Steal Your Data
Many VPN providers have a browser extension available alongside their native app. Instead of encrypting all of your internet traffic (like Outlook and other apps), the browser extension only encrypts traffic going through your browser.
If a VPN browser extension is compromised or you download a malicious browser plugin, hackers can easily set up web pages that look like legit versions of the sites you visit.
As a result, visiting a banking website that you believe is authentic (when it’s a fake) and entering your login credentials will expose these details to hackers.
To minimize installing a compromised VPN browser extension, it’s recommended to install the native app from the official website of a reputable VPN provider.
That way, all of your internet traffic is encrypted instead of just protecting your browser traffic.
Hackers Intercept Public Wifi
Although VPNs do not steal your data at wifi hotspots, it should be noted that they do not ensure the safety of your online activity while using public wifi.
Public wifi allows anyone with a wifi enabled device to connect to a network and enjoy free internet. You’ll often find a wifi hotspot at places like airports, restaurants, and movie theatres.
The problem is most of them have zero encryption in place.
That means you don’t require a username and password like you would if you were using your home wifi.
It is straightforward for a hacker to set up a fake wifi hotspot that may appear like it’s your local McDonald’s, while in fact, it is set up to trap unsuspecting wifi users. When you connect to a fake hotspot, it opens a door for hackers to install malware on your device, which can steal your usernames and passwords by recording your keystrokes.
Another technique hackers use is known as ‘’SSL Stripping’’ which involves intercepting your connection to hijack your passwords when you visit unencrypted websites not using HTTPS.
Lastly, a hacker might provide a fake wifi hotspot that has a stronger signal than all of the other hotspots nearby. This not only pushes the hotspot to the top of the available wifi networks but entices the user to connect to a hotspot with a more stable connection.
Installing Malware on Your PC
Some dangerous VPN providers like SuperVPN bundle their apps or browser plugins with malware without you knowing, and as a result, whether the website uses encryption or not, it can log and steal your passwords.
Can VPNs Steal Other Data Than Passwords?
Yes, VPNs can steal other data than passwords. Untrusted VPN providers can also steal the following:
Personal Data
- Your Name
- Address
- Phone Numbers
- Email Address
Sensitive Data
- Online Banking username and password
- Debit or Credit Card Numbers
Theoretically, a compromised VPN application riddled with malware can access any of the information you transmit over the internet and is not limited to the above data types.
Can A VPN Track Your Online Activity?
A VPN (even paid providers) can track and log your online activity, whether browsing the web, streaming Netflix, or torrenting. Because of this, it is vital to select a VPN provider that does not keep logs.
If you are unsure of whether a VPN collects and stores logs, you can often determine this by visiting their privacy policy along with understanding their operational location.
Surfshark and ExpressVPN are both outside of the five eyes jurisdiction, meaning even if they did keep logs, they would not be required to hand over the data to authorities if they were requested to. They are both very transparent in their privacy policies.
Should You Trust A Free VPN?
You should not trust a free VPN provider unless you have done extensive research to show it:
- Uses high-end encryption to protect your online identity
- Passes malware scans
- Does not log, store or sell your data
New free VPNs regularly appear online without any form of reputation or ways to check the provider’s authenticity.
Free Servers Require Maintenance
Both free VPNs and paid VPNs require servers to run, and those servers need maintenance to run efficiently. The maintenance procedures need manpower, which ultimately means paying someone money to fix things when they go wrong.
Paid VPNs recoup the cost of running their servers from their subscribers, while free VPNs generate revenue through other means. That usually involves gathering your internet data and selling it to third parties without you consenting or knowing anything about it.
An Example of a Bad VPN
Take the example below from Archie VPN available on the Android PlayStore. Although it hasn’t been updated in over twelve months, it is still available to download.
It is also known for bundling dangerous malware on your device, which steals data without the user even being aware.
At the time of writing, the app has had over 10,000 downloads, meaning those users have potentially suffered some kind of data theft.
Free VPNs May Track Activity
Most trustworthy VPN providers operate a zero-logs policy which means none of your online activity is ever recorded. As a result, none of your usernames, passwords, or other sensitive data is available to the agents operating the VPN service, even if they wanted to access it.
On the other hand, untrusted VPNs may say they don’t keep logs when their privacy policy says something entirely different. In essence, this means that your data is recorded at a VPN level. If requested, it can be accessed by the VPN admins or even handed over to your ISP or local authorities.
A prime example of a free VPN that tracks and stores logs on your activity is Touch VPN. The Touch VPN privacy policy states they “share information with third parties for additional purposes, including for marketing, research and analytics purposes.”
This gives a clear indication that they track and share your internet activity without explaining what data they’re sharing about you.
A VPN is used to encrypt your internet activity at a very base level, so your identity and location remain anonymous online. While most free VPNs claim to protect your online privacy, most are out to steal your data for malicious use.
Can A VPN See Your Keystrokes?
No, a VPN cannot see your information as you type it. Instead, accessing a website that uses insecure HTTP encryption could reveal your previously asterisked password as plain text after clicking the login button.
Read Also: VPN Comparisons
Here Are Some of The Safest VPN Providers
- ExpressVPN has a solid reputation and operates a zero-logs policy out of the Virgin Channels Islands, so they are never required to hand logs to your ISP.
- NordVPN uses military-grade encryption to protect your data. It operates from Panama, which is out of government jurisdiction to hand records of their user’s internet activity.
- Surfshark also operates out of the Virgin Channels Islands, and although it’s a relatively newer VPN, it has rapidly built a reputation as a trustworthy provider.
- VyprVPN uses proprietary servers, meaning it owns all of its servers and hardware, backing up its no-logging policy. It protects data from over 2 million users, which solidifies its reputation.
Read Also: Are VPNs Safe?
Conclusion
Although a compromised VPN application can steal your passwords, using a trusted provider with a positive track record will ensure your data remains safe during VPN usage.
I have tested ExpressVPN, NordVPN, and Surfshark for several years now, and they have proven to be providers you can trust.
I have never had any information leaks while using their VPN protection, and I would recommend anyone concerned about a VPN stealing their credentials to select a provider from this list or choose a well-established provider at the minimum.
