Cyber Incident Victim: i2VPN
Date:
Jun 2023
Location:
United States of America
Summary
A significant security breach targeted the popular freemium VPN service i2VPN, compromising its main administrative dashboard. Hackers leaked the admin credentials on Telegram, which provided potential access to user subscription details and data centers. The exposed information could have included user IDs, account names, registered email addresses, and payment methods, posing risks of phishing and fraudulent activities against its large user base.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around June 5, 2023, a cybersecurity incident involving the freemium VPN proxy service i2VPN was reported. The incident came to light through the work of the cybersecurity team at SafetyDetectives, who discovered that hackers had posted information allegedly obtained from an i2VPN breach on the Telegram messaging platform. The hackers claimed to have successfully breached the admin credentials of the service, thereby gaining access to i2VPN’s main admin dashboard. This access purportedly allowed them to obtain confidential information related to the service's user base.
The specific information leaked on Telegram included the administrator’s email address and password. In addition to these credentials, the hackers also shared screenshots of the administrative dashboard. These screenshots displayed data centers and user subscription details. The breach did not involve the direct release of user data sets; however, the compromise of the admin panel credentials created a significant risk. Possession of these credentials potentially granted access to a substantial amount of personal user information and sensitive data concerning the operation of the VPN's infrastructure.
i2VPN is a application with a significant user base, having been downloaded over 500,000 times from the Google Play Store alone. While the exact number of downloads from the App Store was not publicly disclosed in the report, the scale of the Play Store downloads indicates a potentially large number of affected individuals. The data that could have been exposed through the compromised admin panel included user IDs, account names, and registered email addresses. Furthermore, subscription-related information such as payment methods and subscription expiry dates was also potentially accessible.
The implications of this potential access are severe. With administrative control, attackers could have exploited the data for various malicious purposes. The ability to spy on users’ activities through the VPN service was a primary concern. Additionally, the obtained personal information, particularly names and email addresses, could be leveraged to conduct targeted phishing attacks. In such attacks, cybercriminals impersonate legitimate entities or contacts to trick individuals into divulging further sensitive personal information, such as financial details or login credentials for other services. The exposure of payment method details, though not explicitly confirmed to have been exfiltrated, also raised the possibility of financial fraud.
The report did not detail the specific methods or vulnerabilities the hackers exploited to gain the administrator credentials. Similarly, the exact timeline of the initial breach, prior to its discovery and disclosure on Telegram, was not provided. The public revelation of the incident occurred through the cybersecurity news website Hackread.com, which reported on the findings from SafetyDetectives. The article served as the primary public notification of the event, as there was no mention of an official statement or communication from i2VPN itself at the time of the reporting.
In response to the discovery, the article provided guidance directly to users of the service. It advised users to evaluate their continued use of i2VPN given the reported security concerns. It further recommended that users review all accounts, platforms, and websites they accessed while connected to the VPN service and to change their login credentials for those accounts as a precautionary measure. Users were also advised to scan their devices for any sensitive files or communications and to remove or transfer them to prevent potential compromise. The article emphasized that i2VPN must take swift action to address the security vulnerabilities that led to the breach and to reinforce its systems to prevent similar incidents in the future. Users were advised to remain vigilant and to watch for any official announcements or notifications from i2VPN regarding the breach and any recommended security measures. The report contextualized this incident within a broader trend of attacks on VPN services, noting a similar incident from just days prior where the free VPN service provider SuperVPN had exposed 360 million user records. This pattern highlights VPN companies as a preferred target for hackers, where any security flaw can lead to significant privacy breaches for users who trust the service with their data and online activities. The incident underscores the ongoing cybersecurity challenges faced by services that handle large volumes of user data and the constant threat of credential compromise leading to large-scale data exposure.