14 DAY TRIAL // Over the weekend, customers of VPN provider PureVPN started receiving emails which informed them that their accounts were shut down “due to an incident.” The company’s systems have been hacked and the attackers used some stolen email addresses to send out the bogus notifications.
“I'm sorry to inform you that due to an incident we had to close your account permanently. We are no longer able to run an anonymization service due to legal issues we are facing,” the fake emails, apparently signed by PureVPN Founder Uzair Gadit, read.
“We had to handover all customer’s information to the authorities unfortunately. They might contact you if they need any details about the case they are working on. The following information was handed over: your name, billing address and phone number provided during purchase and any documents we had on file.”
The real Uzair Gadit has published a blog post to reassure customers that the emails are fake.
“This morning some of our users have received a fake email and we are putting this blog post as a clarification. We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor do we store our user's personal data to share with anyone,” he noted.
In a later update, he confirmed that the company suffered a data breach. The attackers exploited a WHMCS vulnerability to gain access to a “limited subset” of email addresses and names.
“While we are investigating the cause of the email, we reemphasize that, as we do not store any of our users credit card nor PayPal information in our on-site databases, there has been no compromise in our users billing information,” Gadit said.
“Similarly, service troubleshoot logs (connection attempts, users IPs, etc) are safe and intact as we do not store such logs on site. Furthermore, as we vouch for privacy, security and anonymity on the internet, hence we do not store actual VPN service usage logs.”