VPN Data Breach and Security Incident Tracker
A documented record of consumer VPN breaches, exploited enterprise gateways, malicious installers, server seizures and service attacks—with evidence labels, scope limitations and practical actions.
By Martin Needs — Cybersecurity Expert
A consumer provider may lose control of one server without exposing accounts. An enterprise gateway flaw may give attackers internal access. A fake installer may infect users while the real provider remains uncompromised. This tracker keeps those distinctions visible.
Current Priority Incidents
Check Point VPN Authentication Bypass Under Active Exploitation
Check Point describes CVE-2026-50751 as an authentication bypass affecting specified Remote Access VPN and Mobile Access deployments configured to use deprecated IKEv1. An unauthenticated attacker can establish a remote-access VPN connection without a valid user password. Check Point observed exploitation in the wild and recommends forensic review from its earliest observed date of 7th May 2026. CISA added the flaw to its Known Exploited Vulnerabilities catalog on 8th June 2026.
Evidence: Check Point’s official advisory and CISA’s Known Exploited Vulnerabilities catalog.
Ivanti Sentry Flaws Allow Root Code Execution and Rogue Admin Creation
Ivanti disclosed two critical Sentry flaws. CVE-2026-10520 is an unauthenticated OS-command injection that can provide root-level remote code execution. CVE-2026-10523 is an authentication bypass that can allow creation of arbitrary administrator accounts and full administrative access. Ivanti said it was not aware of customer exploitation at disclosure. Public technical analysis of CVE-2026-10520 was subsequently released, increasing patch urgency, but that does not by itself prove in-the-wild exploitation.
Evidence: Ivanti’s advisory, NVD CVE records, the Canadian Centre for Cyber Security and watchTowr technical analysis.
Trojanised X‑VPN Packages Used to Deliver STX RAT
Cyderes identified an attacker-controlled X‑VPN bundle containing legitimate X‑VPN and WireGuard components alongside a malicious CRYPTBASE.dll. Running the repackaged bundle could trigger DLL sideloading and load STX RAT in memory. Cyderes states that X‑VPN’s service, infrastructure, servers, accounts and official downloads were not breached. It also states that no confirmed in-the-wild exploitation was identified through this X‑VPN-specific path; the malicious bundle and attack capability are confirmed, while the number of victims is unknown.
Evidence: Cyderes Howler Cell’s coordinated disclosure, including X‑VPN’s documented remediation.
Amnezia VPN Reports Large DDoS Attack and Targeted IP Blocking
Amnezia said an unusually large denial-of-service attack coincided with targeted blocking of many server addresses, causing unstable applications and difficulty switching servers. Meduza reported that Free and Premium users were affected. Amnezia attributed the activity to Roskomnadzor, which did not comment in the cited report. No independent forensic evidence has publicly established the attacker’s identity, and no customer-data exposure has been reported.
Evidence: Amnezia’s statements as reported by Meduza; the attribution remains unverified.
Historical Benchmark Incidents
FortiGate Attackers Retained Read-Only Access After Initial Patching
Fortinet said a threat actor exploited previously known vulnerabilities and created a symbolic link between the user and root filesystems in a directory used by the SSL‑VPN interface. This could preserve read-only access to files, including configurations, after the original entry point was patched. Fortinet states that devices which had never enabled SSL‑VPN were not affected by this specific persistence technique.
Evidence: Fortinet PSIRT technical analysis.
Police Search Mullvad Office but Leave Without Customer Data
Mullvad reported that Swedish police visited its Gothenburg office with a search warrant on 18th April 2023 and intended to seize computers containing customer data. Mullvad said the requested customer information did not exist and that officers left without taking equipment or obtaining customer information. This is a provider-reported legal transparency event, not independent proof that every possible Mullvad data category is absent.
Evidence: Mullvad incident statement and follow-up publication of the Swedish prosecution response.
Windscribe Ukraine Servers Seized With OpenVPN Private Keys on Disk
Windscribe reported that two legacy servers in Ukraine were seized on 24th June 2021. Their unencrypted disks contained an OpenVPN server certificate and private key, but Windscribe said the servers held no VPN traffic logs and it had no reason to believe they were accessed before seizure. The exposed material created a narrow impersonation risk under specific conditions; it did not enable decryption of previously recorded VPN traffic.
Evidence: Windscribe’s detailed incident and remediation post.
Pulse Connect Secure CVE-2021-22893 Exploited in Major Campaigns
CVE-2021-22893 affected Pulse Connect Secure 9.0R3/9.1R1 and later vulnerable releases. Official records describe an authentication-bypass condition involving Pulse features that could allow an unauthenticated attacker to achieve remote arbitrary code execution on the gateway. The vulnerability was exploited in the wild, prompted a CISA emergency directive and remains a benchmark example of why VPN gateways require both rapid patching and integrity checking.
Evidence: Ivanti/Pulse Secure advisory SA44784, NVD and CISA emergency and exploited-vulnerability records.
NordVPN Third-Party Datacentre Server Access
NordVPN said one rented server in Finland was accessed without authorisation in March 2018 through an insecure remote-management account added by the datacentre. NordVPN said no user credentials or activity logs were affected and no other servers were exposed. The attacker obtained TLS keys that NordVPN said could support only a highly targeted impersonation scenario and could not decrypt NordVPN VPN traffic.
Evidence: NordVPN’s official datacentre-breach response.
How We Classify VPN Incidents
| Label | Meaning | What It Does Not Automatically Mean |
|---|---|---|
| Confirmed unauthorised access | A vendor, authority or credible technical investigation confirms that an attacker entered a system or accessed protected files. | Personal data was necessarily accessed, copied or exposed. |
| Confirmed data breach | There is evidence that protected customer or organisational data was accessed, acquired or disclosed without authorisation. | Every customer, field or system was affected. |
| Vulnerability | A weakness exists in software or hardware and may have a CVE identifier. | Attackers exploited it or accessed data. |
| Active exploitation | A vendor, government or credible researcher observed attacks using the flaw. | Every vulnerable deployment is compromised. |
| Fake installer | Attackers distribute malware using a provider’s branding or legitimate program components. | The provider’s official servers, app store listing or accounts were breached. |
| DDoS or outage | Availability is disrupted by traffic flooding, blocking or operational failure. | Traffic was decrypted or customer data was stolen. |
| Server seizure or legal search | Authorities physically or legally attempt to obtain systems or information. | Useful customer records existed or were obtained. |
What Consumer VPN Users Should Do
- Install only from an official source: use the provider’s verified website or a recognised app store.
- Check the digital signature: a familiar filename and icon do not prove a Windows installer is genuine.
- Update promptly: client hardening can prevent malicious DLL loading and other local attacks.
- Separate outages from breaches: act when credentials or devices may be compromised, not merely because a server is unavailable.
- Use unique passwords and MFA: a VPN account should not share credentials with email, banking or cryptocurrency accounts.
- Revoke sessions after malware exposure: changing a password may not invalidate stolen browser cookies or application tokens.
What Businesses Should Do
- Inventory internet-facing gateways: include forgotten appliances, test systems and end-of-support versions.
- Track exploited-vulnerability catalogs: patching priority should consider real-world exploitation, not only CVSS.
- Remove deprecated protocols: legacy IKEv1 and unsupported clients create avoidable exposure.
- Investigate, do not only patch: persistent artefacts and stolen credentials can survive a software update.
- Restrict management interfaces: administration should not be broadly exposed to the internet.
- Rotate secrets after configuration exposure: device backups can contain credentials, private keys and internal topology.
- Segment remote access: a compromised VPN account should not provide unrestricted internal movement.
Methodology and Update Policy
Vendor advisories, regulator notices, CISA and national cyber-agency publications, court or police records and named technical research receive the greatest weight. Anonymous claims and threat-actor advertisements are not treated as confirmed without corroboration.
Each entry answers four questions: what happened, whether exploitation or unauthorised access is confirmed, what information may have been exposed and what action is required. Historical cases are included when they demonstrate recurring risks such as third-party hosting, gateway patching, key storage, legal demands, malicious installers or persistence after remediation. This is a curated tracker, not a complete CVE database.
Absence from this tracker does not prove that a service has never experienced an incident. Some events are never disclosed publicly, and vendors use different definitions of “breach”, “compromise” and “customer impact”.
Frequently Asked Questions
What is the difference between a VPN breach and a VPN vulnerability?
A vulnerability is a weakness that may be exploitable. A breach requires unauthorised access to a system or data. A critical CVE can exist without a known victim, while a breach may result from stolen credentials without a new CVE.
Does a VPN outage mean my browsing data was stolen?
No. DDoS attacks and blocking affect availability. They do not automatically decrypt VPN traffic or expose account information.
Are fake VPN installers counted as provider breaches?
Only when the official distribution channel or provider infrastructure was compromised. Malware hosted on an attacker-controlled site is labelled as impersonation or malicious repackaging.
Why are corporate VPN gateways included?
Enterprise remote-access systems are frequent entry points for ransomware and espionage. Their risk model differs from consumer privacy services, so they are filtered and labelled separately.
Does a no-logs policy guarantee nothing can be exposed?
No. A provider may still hold account, billing, support, fraud-prevention, crash or infrastructure data. No-logs claims usually concern browsing or connection activity and must be read within their stated scope.
What should I do after installing a fake VPN?
Disconnect the device, run an endpoint investigation, revoke sessions and change credentials from a clean device. Reinstalling the VPN alone may not remove malware or invalidate stolen tokens.
Written by Martin Needs
Director at NeedSec LTD | Cybersecurity Expert | 10+ Years Experience
“The most important tracker field is often not severity. It is evidence: was data actually accessed, is exploitation confirmed, and does the affected configuration match the reader’s system?”
Sources
- CISA — Known Exploited Vulnerabilities Catalog, including CVE-2026-50751.
- Check Point — Active exploitation advisory for CVE-2026-50751 and CVE-2026-50752.
- Ivanti — Sentry advisory for CVE-2026-10520 and CVE-2026-10523.
- Canadian Centre for Cyber Security — Ivanti advisory AV26-567.
- Cyderes Howler Cell — Trojanised X‑VPN installers and STX RAT analysis.
- Meduza — Amnezia VPN disruption and disputed attribution.
- Fortinet PSIRT — Threat-actor persistence through malicious SSL‑VPN symbolic links.
- Mullvad — Search warrant incident.
- Mullvad — Follow-up from the Swedish prosecution authority.
- Windscribe — Ukraine server seizure and remediation.
- CISA — Pulse Connect Secure emergency directive.
- CISA and partners — 2021 routinely exploited vulnerabilities.
- NordVPN — Official response to third-party datacentre server access.
- CISA — 8 June 2026 alert adding CVE-2026-50751 to the Known Exploited Vulnerabilities catalog.
- NVD — CVE-2026-10520 Ivanti Sentry unauthenticated root-level remote code execution.
- NVD — CVE-2026-10523 Ivanti Sentry authentication bypass.
- watchTowr Labs — Technical analysis of Ivanti Sentry CVE-2026-10520 and CVE-2026-10523.
- NVD — CVE-2021-22893 Pulse Connect Secure authentication bypass and remote code execution.
- Ivanti — Pulse Connect Secure patch availability for SA44784 and CVE-2021-22893.