Update on Data Security Incident
LimeVPN was made aware a data security incident by security researches that resulted in a breach of information related to customers and some parts of order information from our secondary billing server.
For customers, this information included the names, email addresses, billing address and mobile phone numbers related to accounts globally.
A few (less than 100) accounts related to wireguard key & VPN credential was leaked however this was promptly suspended. Note that vpn credential is not same as client area login as it is auto generated by our internal system .
We confirm that credit card numbers, bank account numbers, VPN Log files, Client area Login or any other payment data has NOT been breached as we do not store any payment information in our systems as it is processed by third party gateways.
This is an approximation rather than an accurate and definitive count as this data was breached few months back from one of our decommissioned servers.
When the incident happened, we took immediate steps to secure the data, shut down further unauthorized access, and strengthen our data security.
We estimate a about 800+ current user account could have been impacted by this. There are incorrect news reports about a large dataleak which we can confirm is incorrect as the citied information relates to the activity log of payments and not customer info.
A total of over 20,000 order info log was part of the incident among which majority are order attempts/duplicates. Note – We do not store any VPN usage logs. The billing information is used to combat payment fraud and is limited to order verification purposes only.
If you are an existing customer, you would receive an automatic reset of your VPN login if your account was affected.
DO I NEED TO TAKE ANY ACTION?
We do not believe any individual customers needs to take any action. We have seen no evidence of fraud or misuse tied to the incident. We are monitoring the affected accounts and have flagged them for additional fraud protection.
There is no leak on client login details as all information is securely hashed on db.
We encourage all our users to regularly monitor their accounts for any issues. Please let us know via the Help Center if you see anything unexpected or unusual related to your account.
Update on the incorrectly reported key leak.
The billing profiles have had wireguard key information on their profile info however this was a feature under test and the actual wireguard was being beta tested by less than 100 users. This feature was to be launched in our upcoming release. Hence there is no impact on customers data. The wireguard servers were promptly suspended as well. The key that was part of the profile info was not being used by customers as it is not yet publicly launched.
Note – 99% of our users use softether & openvpn