If you’re using a VPN, it’s likely you value your privacy online. Using a VPN protects your data, whether you connect to the internet through public WIFI or your own home or office network. By bouncing your network connection through a secure chain to another server (usually the home base of the VPN), the process works to shroud your network identity. When a VPN is working correctly, it should block your personal IP address and internet browsing history from being gathered up by advertisers, social networking sites, government agencies, hackers, and more. A functional VPN is the key to protecting your privacy, passwords, financial information, and location when browsing online.
Unpacking the Windscribe VPN provider security breach
Enter the Windscribe VPN provider security breach. Because privacy is the main reason why an individual or company might choose to use a VPN in the first place, the security breach on the Windscribe servers was especially problematic. Users on the Windscribe VPN discovered that their information could have been accessed as part of a Ukrainian government investigation. Ordinarily, a VPN should protect against this kind of invasion. However, Windscribe revealed that it had failed to protect its own servers, rendering them susceptible to be read by anyone.
What happened in Ukraine with the security breach?
While Windscribe is an Ontario, Canada-based company, certain of its servers that process private, encrypted traffic as part of its VPN is located in Ukraine. Two of Windscribe’s Ukrainian servers were searched by the Ukrainian government early in July 2021. The Ukrainian authorities then seized and confiscated the two servers as part of an investigation.
When servers are properly secured, a seizure-like this would not have been enough to constitute a security breach. VPN servers are usually encrypted to protect against the data that they process being read by any outside party, using keys. Additionally, some servers run on RAM memory only, meaning that no data is ever being stored on them, only processed in real-time. This protects against a data log ever being downloaded and unencrypted for future use.
Usually, VPN servers are encrypted against seizures and searches using a blend of the aforementioned methods. However, Windscribe revealed that its servers were in fact unencrypted, operating on an OpenVPN server certificate along with the private key. This kind of lapse is unprecedented in VPN technology. Windscribe founder Yegor Sevak issued a statement after the breach was revealed, saying:
“We make no excuses for this omission. Security measures that should have been in place were not. After conducting a threat assessment we feel that the way this was handled and described in our article was the best move forward. It affected the fewest users possible while transparently addressing the unlikely hypothetical scenario that results from the seizure.”
Because of this lack of encryption, the Ukrainian government was able to read any data processed along with the Windscribe servers, that was previously understood to be private. Even more alarming, Sevak admits that anyone who then accessed the key to the servers could have decrypted any of the information being passed along them.
How are VPN users affected by the Windscribe VPN provider security breach?
Prior to this failing, confidence in Windscribe was high, with reviewers praising its double-encryption technology, running data through two separate servers in an attempt to guarantee privacy. After the breach, Windscribe as a company sought to assure users that no specific user data was under attack and that all future keys required to access the network are no longer stored permanently on any servers. Furthermore, Windscribe asserted that all servers have unique, short-lived certificates, which makes them less easy to impersonate, with a singularly identifying common name. Finally, Windscribe reminds consumers that it does not log VPN traffic, meaning that data is less likely to be read in retrospect, while it may have been accessible during the investigatory breach.
Whether or not consumer confidence in Windscribe will rebound has yet to be seen. Using a VPN is specifically designed to protect against the kind of data intrusion that the Windscribe VPN provider security breach enabled. This kind of lack of basic encryption renders the use of a VPN more or less null and void as a security measure. Whether or not users’ specific information was accessed is still unknown. Additionally, the Windscribe security breach throws into question how effective certain popular VPNs may be without due diligence in preventing similar security breaches in the future.
Other News of Interest: