Recent WHMCS flaw used in PureVPN hack

Hong Kong-based virtual private network provider PureVPN has been hacked using a recently-patched flaw in the WHMCS customer relations management system.

The company said it was hit with a "zero day exploit" for the WHMCS customer relations management system which was patched last week.

Attackers gained access via SQL injection through specially crafted URL requests.

They then sent out a fake email to customers claiming accounts would be closed and the information handed over to unspecified authorities.

The owner of the New Zealand Geekzone technology forum, Mauricio Freitas, told iTnews he received an email purporting to be from Uzair Gadit, the founder PureVPN. 

"Dear customer, I'm sorry to inform you that due to an incident we had to close your account permanently. We are no longer able to run an anonymization service due to legal issues we are facing,"  the email stated.

PureVPN which advertised its service as providing "government level online security and anonymity" was contacted by iTnews for comment but did not respond.

It told worried users via Twitter that the email was bogus and that it wasn't closing down.

Guys, email tht u received is a fake. v r NOT closing down nor hav ANY legal issue of ANY sort. V r invstigting into how this email was sent

— PureVPN (@purevpn) October 6, 2013 (SIC)

"We are able to confirm that the breach is limited to a subset of registered users' email IDs and names," PureVPN said, but did not state how many people had received the fake email.

Customers were temporarily shut out of PureVPN's billing portal and client area while the company investigated the security breach.

The company said no billing information from credit cards or Paypal was stolen in the breach.

According to PureVPN, no service usage data was leaked either.

"Furthermore, as we vouch for privacy, security and anonymity on the Internet, hence we do not store actual VPN service usage logs," the provider said.

"Let us categorically deny any involvement of NSA [the United States National Security Agency] or any government in this," PureVPN told a worried customer on its website.

VPNs provide encrypted data transmissions over the internet and are popular with business and private customers to prevent snooping on and interception of traffic. Among the uses that PureVPN promote are bypassing geoblocking of video on-demand services such as Netflix and also to bypass internet censorship in countries such as Thailand and Vietnam.

PureVPN also offers the ability for Australian residents to access information geoblocked to the country from overseas, by means of getting an Internet Protocol (IP) address assigned to Australian providers.