VPN provider hacked, fake emails scare customers

Customers of Hong Kong-based virtual private network (VPN) provider PureVPN received a major scare over the weekend after a fake email was sent out to them, saying their accounts would be closed and the information handed over to unspecified authorities.

The owner of the New Zealand Geekzone technology forum, Mauricio Freitas, told iTnews he received an email purporting to be from Uzair Gadit, the founder PureVPN. The email stated:

Dear customer, I'm sorry to inform you that due to an incident we had to close your account permanently. We are no longer able to run an anonymization service due to legal issues we are facing.

We had to handover all customer’s information to the authorities unfortunately. They might contact you if they need any details about the case they are working on. The following information was handed over: your name, billing address and phone number provided during purchase and any documents we had on file (for example scan of your ID or driver’s license if you have provided these to our billing department).

We are also sorry we are not able to refund you, however if you wish your money back, please open a dispute on PayPal or file a chargeback with your credit card company. This is the only way we can refund you as our bank account is frozen during this investigation. We recommend you to do this as soon as possible as we can't guarantee all customers will get their money back. We apologize once more this had to happen.

Yours sincerely, 
Uzair Gadit

PureVPN founder
8th Floor Gloucester Tower, The Landmark, Central, Central, Central

Freitas said he wasn't too concerned as he only registered with PureVPN for trial purposes, and didn't use them for anything else or paid the provider.

"I'm sure some people will be worried," Freitas said.

PureVPN, which advertises its service as providing "government level online security and anonymity" was contacted by iTnews for comment but did not respond.

However, on its blog, PureVPN said it had been hit "with a zero day exploit" for the WHMcs customer relations management system that it uses. The exploit appears to allow an attacker to gain database access via so-called structured query language (SQL) injection, through specially crafted uniform resource locator (URL) requests.

The attacker was able to send out the fake email with SQL injection. Via Twitter, PureVPN told worried users the message was bogus and that it wasn't closing down.

Guys, email tht u received is a fake. v r NOT closing down nor hav ANY legal issue of ANY sort. V r invstigting into how this email was sent

— PureVPN (@purevpn) October 6, 2013

"We are able to confirm that the breach is limited to a subset of registered users' email IDs and names," PureVPN said, but did not state how many people had received the fake email.

Customers were temporarily shut out of PureVPN's billing portal and client area while the company investigated the security breach.

The company said no billing information from credit cards or Paypal was stolen in the breach.

According to PureVPN, no service usage data was leaked either.

"Furthermore, as we vouch for privacy, security and anonymity on the Internet, hence we do not store actual VPN service usage logs," the provider said.

"Let us categorically deny any involvement of NSA [the United States National Security Agency] or any government in this," PureVPN told a worried customer on its website.

VPNs provide encrypted data transmissions over the internet and are popular with business and private customers to prevent snooping on and interception of traffic. Among the uses that PureVPN promote are bypassing geoblocking of video on-demand services such as Netflix and also to bypass internet censorship in countries such as Thailand and Vietnam.

PureVPN also offers the ability for Australian residents to access information geoblocked to the country from overseas, by means of getting an Internet Protocol (IP) address assigned to Australian providers.