[New research] Are VPN passwords secure? Two million malware-stolen passwords say no.

Today, the Specops research team is publishing new data on VPN passwords that have been stolen by malware. In total, our threat intelligence research team found 2,151,523 VPN passwords that have been compromised by malware over the past year. These are all real stolen passwords chosen by end users to access VPNs, and they all represent a possible opportunity for a hacker to gain unauthorized access.

The research also coincides with the latest addition of over 193 million compromised passwords to the Specops Breached Password Protection service.

Darren James, Senior Product Manager at Specops Software, said this about the findings: “Organizations require their end users to access corporate networks via VPNs primarily for security and privacy reasons. VPNs encrypt data transmitted between the user’s device and the corporate network, helping to protect sensitive information from being intercepted by unauthorized individuals, particularly when employees are using unsecured or public Wi-Fi networks.

“VPNs allow IT departments to control and manage access to resources within the corporate network. This includes enforcing security policies, managing bandwidth, and monitoring network traffic, which helps in maintaining the overall health and security of the network. They also help comply with these regulations by securing the transmission of data and providing access controls and audit trails.

“But if VPN passwords are becoming compromised, these great cybersecurity benefits can be undone and actually offer a route into your organization for attackers. End users often use their Active Directory credentials to log into corporate VPNs, and they may also be reusing their Active Directory passwords to access personal VPNs too.”

Most breached VPN providers and passwords

Top breached VPN service providers

While VPNs significantly enhance security by encrypting data and providing a secure connection to the internet, they are not without their vulnerabilities, especially concerning password security. If VPN servers are configured to allow unlimited login attempts, they can be vulnerable to brute force attacks, where attackers use automated tools to try a vast number of password combinations to gain unauthorized access.

As shown in the below table, the top three targeted VPN service providers (ProtonVPN, ExpressVPN, and NordVPN) are three of the most popular and secure VPNs on the market. Despite the well-documented security of the VPN product itself, over a million Proton VPN end users have had their credentials compromised by malware. It’s a lot easier for cybercriminals to target the end users’ login credentials than try to hack the VPNs themselves.

Users might be tricked into entering their VPN credentials on fraudulent websites. Phishing attacks can be sophisticated, mimicking legitimate VPN login pages to steal usernames and passwords. Malware such as keyloggers can capture keystrokes, including VPN passwords, if they are installed on a user’s device. This can happen if the device is already compromised before connecting to the VPN or if the VPN fails to include or enforce the use of anti-malware tools.

Top 10 VPN service providers

Top 10 VPN service providersNumber of stolen passwords
protonvpn.com1,306,229
expressvpn.com94,772
nordvpn.com89,289
cyberghostvpn.com83,648
droidvpn.com77,429
vpnelf.com27,581
vyprpn.com25,533
openvpn.com24,67
safervpn.com21,561
purevpn.com21,114

Top breached VPN passwords

The below table shows the most commonly compromised passwords from the VPN services. Common keyboard walks like “12345” and “qwerty” are represented, as well as common weak passwords such as “Admin” and “password”. We also see “P@ssw0rd” show up as a weak attempt to meet an organization’s complexity requirements (e.g. must contain a capital letter, number, and special character). It’s also interesting to note “protonvpn” and “dyadroid1” in the list, as these were two of the top five most breached service providers. Some end users have clearly just typed in the product name as a password.

If an organization doesn’t enforce strong password policies for VPN access, users might choose weak or easily guessable passwords, making it easier for attackers to breach the VPN. Password reuse is a serious risk too. End users often reuse passwords across multiple services. If a password is compromised on one service, all other accounts using the same password, potentially including VPN accounts, are at risk.

The most common password word being found only 5,290 times (or the often very common “password” only 554 times) in this data set of over two million times seems quite low. This could suggest that end users may have generally been using unique, or even strong passwords for their VPN credentials. But this hasn’t stopped them from becoming compromised.

Top breached VPN passwords

Top stolen passwordsNumber of times found
1234565,29
1234567894,969
123456784,803
12342,665
123451,792
12345678901,398
admin1,064
868689849622
password554
qwertyuiop475
1234567460
123123123457
1346a1967429
123123394
kally256394
Suzhou@123388
hosein2181384
qwerty123368
sshstore368
07r7p082izpshdzzx0cxsldenve3bcrf365
112233348
11111111344
123324
protonvon314
P@sswOrd306
1111294
021176JT284
qwerty282
asdfghjkl269
dyadroid1268

Top associated email domains

We’ve also recorded the top email domains associated with stolen VPN passwords. The top four are unsurprising due to their popularity with consumers. Proton VPN had the most stolen passwords, so it’s notable to see their own email domain in the list.

Top associated email domains

Top associated email domainNumber of times found
gmail.com606,605
hotmail.com50,859
yahoo.com26,82
outlook.com14,048
protonmail.com9,066
icloud.com6,118
qq.com3,563
live.com3,45
hotmail.fr2,914
proton.me2,765

What about corporate VPN use?

It’s probable that a lot of the compromised passwords in our dataset were consumer passwords, due to the associated email domains. The biggest risk to organizations with these passwords is whether end users are reusing the compromised passwords at work. However, it’s even riskier when a corporate VPN is directly compromised, as Active Directory passwords are often intentionally the VPN password aka used to authenticate the VPN connection to a corporate network.

Below, we’ve highlighted a number of compromised passwords that are more likely to be directly stolen from corporate VPNs (after excluding email domains usually associated with consumers). While there are commonly seen weak passwords like ‘admin’, it’s worth noting that several of these passwords would pass the length and complexity requirements for Active Directory in a lot of organizations. If you have a password blocklist, it might be worth adding these.

Suspected stolen corporate VPN passwords
admin
123456
Abcd@123#
admin123
P@ssword
abc123456+
Аа12345678
88366733
MilanO
Porta2016
Lordthankyou2
Vv88888888
A10203040a
V3ls1s1234
zzx3239852
uzair12345
qst1234

Find more compromised passwords in your network

Today’s update to the Breached Password Protection service includes an addition of over 52 million compromised passwords to the list used by Specops Password Auditor. You can find out how many of these compromised passwords are being used by your end users with a quick scan of your Active Directory with our free auditing tool: Specops Password Auditor.

Specops Password Auditor is read-only and doesn’t store Active Directory data, nor does it make any changes to Active Directory. You’ll get an easy-to-understand exportable report detailing password-related vulnerabilities that could be used as entry points for attackers. Download for free here.

What are the risks of compromised corporate VPN passwords?

The most immediate risk is that the attacker can gain unauthorized access to the corporate network. This access allows the attacker to impersonate the legitimate user, potentially gaining the same level of access to sensitive data and critical systems as the user. Once inside the network, the attacker can steal sensitive data such as personal information, financial records, intellectual property, and more. This data can be used for various malicious purposes, including identity theft, financial fraud, or selling the data on the dark web.

The attacker can use the compromised VPN credentials to plant additional malware within the network. This malware can be used to create backdoors, disrupt services, or further compromise security systems. With access to the network, an attacker could potentially disrupt operations by deploying ransomware, deleting critical data, or otherwise tampering with network infrastructure. This can lead to significant downtime and loss of productivity.

Reusing Active Directory passwords

Password reuse is worryingly common. A Google poll found that 52% of US adults admit to reusing the same password for at least some of their online accounts – with 1 in 8 reusing the same password across all of their online accounts.

If an end user has reused their Active Directory password as their VPN password, and this password is compromised, the implications can be significantly more severe. Say an attacker gains access to an Active Directory account, they then potentially have access to all systems and resources that the user has permissions for, not just the VPN. This could include email accounts, file storage, databases, and administrative systems.

If the compromised account has administrative privileges, the attacker could alter security settings, create new accounts, modify or delete data, and install malicious software across the network. This level of access allows for more extensive damage and theft. Remedying a breach involving Active Directory credentials is often more complex and costly. It may require a comprehensive security audit, resetting of passwords network-wide, and possibly rebuilding compromised systems from scratch to ensure all traces of the attacker are removed.

How to detect compromised Active Directory credentials

It should be a given that organizations want all of their Active Directory passwords to be strong. However, it’s also important to bear in mind that the two million VPN passwords in this research have been stolen by malware. Even strong passwords can be stolen. And we know end users admit to regularly reusing passwords. This highlights the importance of being able to scan your Active Directory for the threat of breached passwords on an ongoing basis.

Specops Password Policy with Breached Password Protection protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks. Our continuous scan feature checks all Active Directory passwords against the Breached Password Protection API for compromise once a day – the API is updated daily with newly discovered compromised passwords from our password honeypot system in addition to newly discovered password leaks when they occur.

Interested to see how Specops Password Policy could fit in with your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.

(Last updated on October 4, 2024)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog

Related Articles

  • [New Data] Block These Top Keyboard Walk Patterns Found in Compromised Passwords

    Keyboard Walk “Qwerty” Found in Compromised Passwords More than 1 million times Today, the Specops research team is sharing the results of their latest findings on the use of keyboard walk patterns in compromised passwords. The release of these findings coincides with the latest addition of over 6 million compromised passwords to the Specops Breached Password…

    Read More
  • [New Research] Best Password Practices to Defend Against Modern Cracking Attacks

    Today, the Specops research team is publishing new data on how long it takes modern attackers to brute force guess user passwords with the help of newer hardware. This data with the latest addition of over 15 million compromised passwords to the Specops Breached Password Protection service. “The recent headline-making news of the possibilities of…

    Read More
  • [New research] Do longer passwords protect you from compromise?

    The Specops Breached Password Protection Database Now Tops Over 4 Billion Unique Compromised Passwords We’re sharing some new findings from the Specops research team about password length and how it can still be circumvented by attackers. These findings coincide with the latest addition of 10.2 million passwords to the Specops Breached Password Protection service, which now…

    Read More