/
/
VPN Data Breach Security Incident Tracker
Continuously Maintained Security Database

VPN Data Breach and Security Incident Tracker

A documented record of consumer VPN breaches, exploited enterprise gateways, malicious installers, server seizures and service attacks—with evidence labels, scope limitations and practical actions.

First published: 10th June 2026 | Accuracy audit: 10th June 2026
By Martin Needs — Cybersecurity Expert
Scope and evidence standard: Inclusion does not mean customer data was exposed. A vulnerability, DDoS attack, legal search, server seizure or malicious third-party installer is not labelled a data breach without evidence of unauthorised access to protected data. Provider statements are attributed, and disputed attribution is identified.
Tracked Entries9 documented casesFour current-priority entries and five historically important benchmarks.
Active ExploitationCheck Point CVE-2026-50751Check Point confirmed exploitation and CISA added the flaw to its KEV catalog.
Highest Patch UrgencyIvanti SentryCritical pre-authentication flaws now have public technical analysis; no in-the-wild exploitation was known at disclosure.
Evidence RuleNo breach inflationConfirmed access, potential exposure, outages and legal events remain separate classifications.
Ech the Tech Fox

A consumer provider may lose control of one server without exposing accounts. An enterprise gateway flaw may give attackers internal access. A fake installer may infect users while the real provider remains uncompromised. This tracker keeps those distinctions visible.

Showing 9 incidents.

Current Priority Incidents

June 2026 · Enterprise VPN gateway

Check Point VPN Authentication Bypass Under Active Exploitation

Critical
IdentifierCVE-2026-50751 · CVSS 9.3
ExploitationConfirmed; observed from 7 May 2026
Data exposureNot automatic; depends on post-access activity
StatusVendor hotfix available

Check Point describes CVE-2026-50751 as an authentication bypass affecting specified Remote Access VPN and Mobile Access deployments configured to use deprecated IKEv1. An unauthenticated attacker can establish a remote-access VPN connection without a valid user password. Check Point observed exploitation in the wild and recommends forensic review from its earliest observed date of 7th May 2026. CISA added the flaw to its Known Exploited Vulnerabilities catalog on 8th June 2026.

Action: Apply the vendor hotfix, confirm whether the deployment uses deprecated IKEv1, retire unsupported configurations where possible and review VPN authentication, certificate and session logs from at least 7th May 2026. Patching does not replace compromise assessment.

Evidence: Check Point’s official advisory and CISA’s Known Exploited Vulnerabilities catalog.

Active exploitationAuthentication bypassRemote accessRansomware risk
9th June 2026 · Enterprise mobile gateway

Ivanti Sentry Flaws Allow Root Code Execution and Rogue Admin Creation

Critical
IdentifiersCVE-2026-10520 (10.0) / 10523 (9.9)
ExploitationNone known at vendor disclosure
Data exposureNo victim incident confirmed
StatusFixed versions and public analysis available

Ivanti disclosed two critical Sentry flaws. CVE-2026-10520 is an unauthenticated OS-command injection that can provide root-level remote code execution. CVE-2026-10523 is an authentication bypass that can allow creation of arbitrary administrator accounts and full administrative access. Ivanti said it was not aware of customer exploitation at disclosure. Public technical analysis of CVE-2026-10520 was subsequently released, increasing patch urgency, but that does not by itself prove in-the-wild exploitation.

Action: Upgrade to Sentry R10.5.2, R10.6.2 or R10.7.1 as applicable. Review administrator accounts, configuration changes and gateway logs, restrict unnecessary internet exposure and do not wait for confirmed exploitation now that detailed technical analysis is public.

Evidence: Ivanti’s advisory, NVD CVE records, the Canadian Centre for Cyber Security and watchTowr technical analysis.

Patch availableUnauthenticated RCERoot accessNo known exploitation
June 2026 · Fake consumer VPN installer

Trojanised X‑VPN Packages Used to Deliver STX RAT

High
Attack typeConfirmed malicious repackaging
Official service breached?No; official channels unaffected
PayloadSTX RAT / in-memory infostealer
Hardened versionWindows 77.5.3 or later

Cyderes identified an attacker-controlled X‑VPN bundle containing legitimate X‑VPN and WireGuard components alongside a malicious CRYPTBASE.dll. Running the repackaged bundle could trigger DLL sideloading and load STX RAT in memory. Cyderes states that X‑VPN’s service, infrastructure, servers, accounts and official downloads were not breached. It also states that no confirmed in-the-wild exploitation was identified through this X‑VPN-specific path; the malicious bundle and attack capability are confirmed, while the number of victims is unknown.

Action: Users who ran an X‑VPN package from an unofficial source should isolate the device, investigate for credential and session-token theft, revoke active sessions and change credentials from a clean device. Official-channel users should update to Windows version 77.5.3 or later.

Evidence: Cyderes Howler Cell’s coordinated disclosure, including X‑VPN’s documented remediation.

Fake installerDLL sideloadingCredential theftOfficial downloads unaffected
Late May–June 2026 · Consumer VPN disruption

Amnezia VPN Reports Large DDoS Attack and Targeted IP Blocking

High availability impact
Attack typeProvider-reported DDoS plus IP blocking
Users affectedFree and Premium users reported affected
Data breach evidenceNone published
AttributionProvider allegation; not independently proven

Amnezia said an unusually large denial-of-service attack coincided with targeted blocking of many server addresses, causing unstable applications and difficulty switching servers. Meduza reported that Free and Premium users were affected. Amnezia attributed the activity to Roskomnadzor, which did not comment in the cited report. No independent forensic evidence has publicly established the attacker’s identity, and no customer-data exposure has been reported.

Action: Treat this as an availability and censorship incident unless new evidence shows data exposure. Use only official recovery instructions and avoid unofficial replacement applications.

Evidence: Amnezia’s statements as reported by Meduza; the attribution remains unverified.

DDoSCensorshipNo breach evidenceAttribution unverified

Historical Benchmark Incidents

April 2025 · Enterprise SSL‑VPN infrastructure

FortiGate Attackers Retained Read-Only Access After Initial Patching

High
Attack typePersistence after known flaws
ExploitationConfirmed
Potential dataDevice files and configurations
ConditionSSL‑VPN had been enabled

Fortinet said a threat actor exploited previously known vulnerabilities and created a symbolic link between the user and root filesystems in a directory used by the SSL‑VPN interface. This could preserve read-only access to files, including configurations, after the original entry point was patched. Fortinet states that devices which had never enabled SSL‑VPN were not affected by this specific persistence technique.

Action: Upgrade to FortiOS 7.6.2, 7.4.7, 7.2.11, 7.0.17 or 6.4.16, or later supported fixes. Review the full device configuration and treat configuration contents as potentially compromised when indicators are present.

Evidence: Fortinet PSIRT technical analysis.

Confirmed compromisePersistenceConfiguration accessEnterprise
18th April 2023 · Legal search

Police Search Mullvad Office but Leave Without Customer Data

No data obtained
Incident typeProvider-reported legal search
Equipment seizedNone, according to Mullvad
Customer data obtainedNone, according to Mullvad
Breach?No evidence of a breach

Mullvad reported that Swedish police visited its Gothenburg office with a search warrant on 18th April 2023 and intended to seize computers containing customer data. Mullvad said the requested customer information did not exist and that officers left without taking equipment or obtaining customer information. This is a provider-reported legal transparency event, not independent proof that every possible Mullvad data category is absent.

Action: No user action was required. The event is useful evidence about data minimisation, while still relying primarily on the provider’s public account and later correspondence.

Evidence: Mullvad incident statement and follow-up publication of the Swedish prosecution response.

Search warrantNo logs foundNo seizureTransparency
24th June 2021 · Server seizure

Windscribe Ukraine Servers Seized With OpenVPN Private Keys on Disk

Limited cryptographic risk
Incident typePhysical server seizure
Stored materialOpenVPN certificate and key
Traffic logsProvider said none
Disk encryptionLegacy servers were unencrypted

Windscribe reported that two legacy servers in Ukraine were seized on 24th June 2021. Their unencrypted disks contained an OpenVPN server certificate and private key, but Windscribe said the servers held no VPN traffic logs and it had no reason to believe they were accessed before seizure. The exposed material created a narrow impersonation risk under specific conditions; it did not enable decryption of previously recorded VPN traffic.

Action: Windscribe revoked and replaced affected certificates, changed parts of its OpenVPN configuration and accelerated server-encryption improvements.

Evidence: Windscribe’s detailed incident and remediation post.

Server seizurePrivate keyNo traffic logs claimedLegacy infrastructure
2021 · Enterprise remote-access gateway

Pulse Connect Secure CVE-2021-22893 Exploited in Major Campaigns

Critical historical case
IdentifierCVE-2021-22893
ExploitationConfirmed
ImpactAuthentication bypass leading to remote code execution
StatusHistorical, patch required

CVE-2021-22893 affected Pulse Connect Secure 9.0R3/9.1R1 and later vulnerable releases. Official records describe an authentication-bypass condition involving Pulse features that could allow an unauthenticated attacker to achieve remote arbitrary code execution on the gateway. The vulnerability was exploited in the wild, prompted a CISA emergency directive and remains a benchmark example of why VPN gateways require both rapid patching and integrity checking.

Action: Any organisation retaining legacy Pulse Connect Secure systems should verify support status, apply current Ivanti guidance, use integrity-checking procedures and investigate historical exposure rather than assuming a later patch removed attacker persistence.

Evidence: Ivanti/Pulse Secure advisory SA44784, NVD and CISA emergency and exploited-vulnerability records.

Active exploitationAuthentication bypassFederal directiveHistorical benchmark
March 2018 · Disclosed October 2019 · Consumer VPN server breach

NordVPN Third-Party Datacentre Server Access

Single-server breach
Incident typeUnauthorised server access
InfrastructureOne Finland server
User credentialsProvider said unaffected
DisclosurePublic in 2019

NordVPN said one rented server in Finland was accessed without authorisation in March 2018 through an insecure remote-management account added by the datacentre. NordVPN said no user credentials or activity logs were affected and no other servers were exposed. The attacker obtained TLS keys that NordVPN said could support only a highly targeted impersonation scenario and could not decrypt NordVPN VPN traffic.

Action: No current user action remains specific to this historical case. The lasting lessons are third-party infrastructure oversight, disk and key protection, rapid notification and timely public disclosure.

Evidence: NordVPN’s official datacentre-breach response.

Confirmed accessThird-party datacentreNo credentials claimedDelayed disclosure

How We Classify VPN Incidents

LabelMeaningWhat It Does Not Automatically Mean
Confirmed unauthorised accessA vendor, authority or credible technical investigation confirms that an attacker entered a system or accessed protected files.Personal data was necessarily accessed, copied or exposed.
Confirmed data breachThere is evidence that protected customer or organisational data was accessed, acquired or disclosed without authorisation.Every customer, field or system was affected.
VulnerabilityA weakness exists in software or hardware and may have a CVE identifier.Attackers exploited it or accessed data.
Active exploitationA vendor, government or credible researcher observed attacks using the flaw.Every vulnerable deployment is compromised.
Fake installerAttackers distribute malware using a provider’s branding or legitimate program components.The provider’s official servers, app store listing or accounts were breached.
DDoS or outageAvailability is disrupted by traffic flooding, blocking or operational failure.Traffic was decrypted or customer data was stolen.
Server seizure or legal searchAuthorities physically or legally attempt to obtain systems or information.Useful customer records existed or were obtained.

What Consumer VPN Users Should Do

  1. Install only from an official source: use the provider’s verified website or a recognised app store.
  2. Check the digital signature: a familiar filename and icon do not prove a Windows installer is genuine.
  3. Update promptly: client hardening can prevent malicious DLL loading and other local attacks.
  4. Separate outages from breaches: act when credentials or devices may be compromised, not merely because a server is unavailable.
  5. Use unique passwords and MFA: a VPN account should not share credentials with email, banking or cryptocurrency accounts.
  6. Revoke sessions after malware exposure: changing a password may not invalidate stolen browser cookies or application tokens.

What Businesses Should Do

  • Inventory internet-facing gateways: include forgotten appliances, test systems and end-of-support versions.
  • Track exploited-vulnerability catalogs: patching priority should consider real-world exploitation, not only CVSS.
  • Remove deprecated protocols: legacy IKEv1 and unsupported clients create avoidable exposure.
  • Investigate, do not only patch: persistent artefacts and stolen credentials can survive a software update.
  • Restrict management interfaces: administration should not be broadly exposed to the internet.
  • Rotate secrets after configuration exposure: device backups can contain credentials, private keys and internal topology.
  • Segment remote access: a compromised VPN account should not provide unrestricted internal movement.

Methodology and Update Policy

Evidence hierarchy

Vendor advisories, regulator notices, CISA and national cyber-agency publications, court or police records and named technical research receive the greatest weight. Anonymous claims and threat-actor advertisements are not treated as confirmed without corroboration.

Each entry answers four questions: what happened, whether exploitation or unauthorised access is confirmed, what information may have been exposed and what action is required. Historical cases are included when they demonstrate recurring risks such as third-party hosting, gateway patching, key storage, legal demands, malicious installers or persistence after remediation. This is a curated tracker, not a complete CVE database.

Important limitation

Absence from this tracker does not prove that a service has never experienced an incident. Some events are never disclosed publicly, and vendors use different definitions of “breach”, “compromise” and “customer impact”.

Frequently Asked Questions

What is the difference between a VPN breach and a VPN vulnerability?

A vulnerability is a weakness that may be exploitable. A breach requires unauthorised access to a system or data. A critical CVE can exist without a known victim, while a breach may result from stolen credentials without a new CVE.

Does a VPN outage mean my browsing data was stolen?

No. DDoS attacks and blocking affect availability. They do not automatically decrypt VPN traffic or expose account information.

Are fake VPN installers counted as provider breaches?

Only when the official distribution channel or provider infrastructure was compromised. Malware hosted on an attacker-controlled site is labelled as impersonation or malicious repackaging.

Why are corporate VPN gateways included?

Enterprise remote-access systems are frequent entry points for ransomware and espionage. Their risk model differs from consumer privacy services, so they are filtered and labelled separately.

Does a no-logs policy guarantee nothing can be exposed?

No. A provider may still hold account, billing, support, fraud-prevention, crash or infrastructure data. No-logs claims usually concern browsing or connection activity and must be read within their stated scope.

What should I do after installing a fake VPN?

Disconnect the device, run an endpoint investigation, revoke sessions and change credentials from a clean device. Reinstalling the VPN alone may not remove malware or invalidate stolen tokens.

Martin Needs, cybersecurity expert

Written by Martin Needs

Director at NeedSec LTD | Cybersecurity Expert | 10+ Years Experience

“The most important tracker field is often not severity. It is evidence: was data actually accessed, is exploitation confirmed, and does the affected configuration match the reader’s system?”

OSCP CertifiedCyber Essentials AssessorCompTIA PenTest+Incident ResponseNetwork Security

Sources