• Skip to main content
  • Skip to header right navigation
  • Skip to site footer
RestorePrivacy

RestorePrivacy

Resources to stay safe and secure online

  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Browser Fingerprinting
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact
  • News
  • Tools
    • Secure Browser
    • VPN
    • Ad Blocker
    • Secure Email
    • Private Search Engine
    • Data Removal
      • Incogni Review
    • Password Manager
    • Secure Messaging App
    • Tor
    • Identity Theft Protection
    • Unblock Websites
    • Browser Fingerprinting
    • Privacy Tools
  • Email
    • Secure Email
    • ProtonMail Review
    • Tutanota Review
    • Mailfence Review
    • Mailbox.org Review
    • Hushmail Review
    • Posteo Review
    • Fastmail Review
    • Skiff Mail Review
    • Runbox Review
    • Temporary Disposable Email
    • Encrypted Email
    • Alternatives to Gmail
  • VPN
    • What is VPN
    • VPN Reviews
      • NordVPN Review
      • Surfshark VPN Review
      • VyprVPN Review
      • Perfect Privacy Review
      • ExpressVPN Review
      • CyberGhost Review
      • AVG VPN Review
      • IPVanish Review
      • Hotspot Shield VPN Review
      • ProtonVPN Review
      • Atlas VPN Review
      • Private Internet Access Review
      • Avast VPN Review
      • TorGuard Review
      • PrivadoVPN Review
    • VPN Comparison
      • NordVPN vs ExpressVPN
      • IPVanish vs ExpressVPN
      • CyberGhost vs NordVPN
      • IPVanish vs NordVPN
      • ExpressVPN vs PIA
      • VyprVPN vs NordVPN
      • CyberGhost vs ExpressVPN
      • NordVPN vs HideMyAss
      • ExpressVPN vs ProtonVPN
      • Atlas VPN vs NordVPN
      • ExpressVPN vs Surfshark
      • NordVPN vs Proton VPN
      • Surfshark vs CyberGhost
      • Surfshark vs IPVanish
    • Best VPNs
      • Best VPN for Torrenting
      • Best VPN for Netflix
      • Best Free VPN
      • VPN for Firestick TV
      • Best VPN for Android
      • Best VPN for Gaming
      • Best VPN for PC
      • Best VPN for Disney Plus
      • Best VPN for Hulu
      • Best VPN for Mac
      • Best VPN for Streaming
      • Best VPN for Windows
      • Best VPN for iPhone
    • VPN Coupons
      • ExpressVPN Coupon
      • NordVPN Coupon
      • Cyber Monday VPN Deals
      • NordVPN Cyber Monday
      • Surfshark VPN Cyber Monday
      • ExpressVPN Cyber Monday
    • VPN Guides
      • Free Trial VPN
      • Cheap VPNs
      • Static IP VPN
      • VPN Ad Blocking
      • No Logs VPN
      • Best VPN Chrome
      • Best VPN Reddit
      • Split Tunneling VPN
      • VPN for Binance
      • WireGuard VPN
      • VPN for Amazon Prime
      • VPN for Linux
      • VPN for iPad
      • VPN for Firefox
      • VPN for BBC iPlayer
    • By Country
      • Best VPN Canada
      • Best VPN USA
      • Best VPN UK
      • Best VPN Australia
      • VPN for Russia
    • VPN Router
  • Password
    • Best Password Managers
    • Comparisons
      • NordPass vs 1Password
      • 1Password vs LastPass
      • NordPass vs LastPass
      • RoboForm vs NordPass
      • 1Password vs Bitwarden
      • Dashlane vs NordPass
      • 1Password vs Dashlane
      • NordPass vs Bitwarden
    • KeePass Review
    • NordPass Review
    • 1Password Review
    • Dashlane Review
    • RoboForm Review
    • LastPass Review
    • Bitwarden Review
    • Strong Password
  • Storage
    • Best Cloud Storage
    • pCloud Review
    • Nextcloud Review
    • IDrive Review
    • SpiderOak Review
    • Sync.com Review
    • MEGA Cloud Review
    • NordLocker Review
    • Tresorit Review
    • Google Drive Alternatives
  • Messenger
    • Secure Messaging Apps
    • Signal Review
    • Telegram Review
    • Wire Review
    • Threema Review
    • Session Review
  • Info
    • Mission
    • Press
    • Contact

Windscribe VPN Security Breach: Servers and Private Key Seized

July 19, 2021 By Sven Taylor — 5 Comments
Windscribe servers seized security breach

Windscribe, a popular VPN based in Canada, has suffered a major security breach. Ukrainian authorities seized Windscribe servers and also obtained Windscribe’s private key, which allows them to decrypt traffic from Windscribe users. Windscribe staff has admitted they failed to properly encrypt their servers and are in the process of updating VPN infrastructure to “follow industry best practices.”

Millions of people around the world use VPN services, trusting that the VPN has taken the proper steps to ensure security. However, in some cases, a VPN will deviate from “industry best practices” — and this can harm and/or put the VPN’s users at risk. Such is the case with Windscribe.

While you may think that a VPN server seizure could be devastating for user privacy, this is not always the case. To understand why, let’s first look at a few previous examples before we closely examine what went wrong with Windscribe.

When servers are secure, server seizures are no big deal

We have been following the VPN space closely for many years and have seen a few cases where authorities have seized VPN servers. If the VPN service has its act together, this should not be a big deal. Here are two such examples that we covered in our no logs VPN article:

  • Perfect Privacy, a Switzerland-based VPN, had servers in Rotterdam, Netherlands seized by authorities. Perfect Privacy’s servers were securely encrypted and did not contain any logs, thereby preventing any customer data from being exposed. Additionally, Perfect Privacy runs all servers on RAM memory only, without hard drives. This ensures no user data can ever be stored on any VPN server and nothing is available for anyone who seizes a server.
  • ExpressVPN, which is based in the British Virgin Islands, had a similar incident. Authorities in Turkey were investigating a criminal suspect, who they believed also used ExpressVPN. They seized the ExpressVPN server in question, but again, there were no logs or data available. This case verified ExpressVPN’s no-logs claims, and they even went on to follow Perfect Privacy’s lead and converted all servers to run in RAM-disk with no hard drives.

Unfortunately, things did not go so well with Windscribe, prompting a major security overhaul, audit announcement, and more…

Windscribe servers seized, critical data left unencrypted

On July 8th, Yegor Sak, founder of Windscribe, announced on the Windsribe blog that “OpenVPN Security Improvements and Changes” were in the works. The article begins by explaining what is changing and the impact on users. However, it is only when you get further down in the article that we learn why things are changing.

Here is an excerpt from the announcement:

On June 24th 2021 our monitoring systems alerted us that two servers in Ukraine had gone offline. When engaging with our provider for those servers, we were informed that the two servers had been seized as part of an investigation of activity that occurred 12 months prior. The hosting provider failed to inform us of a preliminary hearing that took place earlier this year, during which a judgement was rendered to seize the two servers in question.

It’s interesting to see Windscribe attempt to push blame on the hosting provider, which may have been barred from revealing any information from the court judgment. But we also see why Windscribe is doing this. Had they been notified of the situation, they could have ensured their servers were encrypted and secure.

But that was not the case because Windscribe was not following “industry best practices” — by their founder’s admission.

Reading further, we find this alarming quote:

Windscribe servers hacked
Windscribe decided to not encrypt its servers in Ukraine.

This announcement is quite revealing because it shows that:

  1. Windscribe picks and chooses which VPN servers to encrypt and which to remain unencrypted and exposed to random third parties.
  2. Windscribe does not consider Ukraine to be a sensitive country, despite the ongoing conflict and instability we have seen in the region since 2014.
  3. This also shows that Windscribe has been operating for many years without basic server security, putting Windscribe users at risk.

How this security breach affects Windscribe users

The biggest issue of this Windscribe security breach is that Ukrainian authorities obtained Windscribe’s private key, which allows them to decrypt VPN traffic under certain conditions. If this happened, they would be able to see what Windscribe users were doing while connected to the Ukrainian server and also collect/log this data.

This once again shows that without proper security, privacy also goes out the window.

Windscribe explained in its blog post that this mistake allows Ukrainian authorities to “impersonate a Windscribe VPN server and capture VPN tunnel traffic running through it” under the right circumstances. And while there are certain conditions that need to be met in order to capture traffic, this incident deals a major blow to Windscribe’s reputation.

Windscribe plans to take “corrective actions”

Windscribe’s blog post also details some corrective actions they plan to take.

We have been working on in-memory based servers for some time, and building out our automation for a new PKI and provisioning infrastructure.

The simple truth is that these safeguards were not in place when the server seizure occurred. This should not have happened and we understand that it hurts the trust you all have placed in us. The plans to upgrade our server stack were deferred in order for us to grow our team and build the foundations that would allow us to execute the planned improvements.

Remember above when we noted that other VPNs (and their customers) have survived server seizures without any issues?

The key factor with both Perfect Privacy and ExpressVPN is that they were running secure, encrypted servers. Additionally, both VPNs have all servers in their network running on RAM memory without hard disks.

These leading VPN services have been doing this for years. In fact, most of our top VPN recommendations secure their servers and run the entire network on RAM memory without hard drives:

  • NordVPN: All servers running in RAM, rolling out self-owned (colocated) hardware for all locations.
  • Surfshark: All servers running in RAM memory.
  • ExpressVPN: One of the first VPN services to implement RAM servers, behind Perfect Privacy.

Windscribe has also announced these additional actions in response to the security incident:

  1. Wireguard as the primary protocol. (We have covered the pros and cons of WireGuard here.)
  2. Resilient authentication backend
  3. New application features
  4. Security audit

Similar to what we found with RAM servers, we also find many of the same leading VPN services have passed various security audits.

Can Windscribe be trusted?

Many VPNs undergo turbulence, with some rising back strong, while others struggle to ever make a comeback. We noted the same phenomenon in the wake of the recent LimeVPN hack, where a threat actor was able to hack LimeVPN’s backup database and sell all the data on a hacking forum.

There are also cases of breached trust when it comes to logs and privacy. Recall the IPVanish logging case, where they claimed to have “zero logs” while logging user data an FBI investigation. The same thing happened with PureVPN, despite it being on the other side of the world and not subject to US jurisdiction.

A history of unprofessionalism

Is this Windscribe security breach a big surprise?

Not really. As we previously noted in our Windscribe review, the VPN comes across as unprofessional, kind of like a snarky teenager who doesn’t take anyone seriously. For example, below is a screenshot of the Windscribe VPN app. You can see check boxes for errors and problems, with faint grey lettering about how they are “just kidding.”

windscribe VPN errors

They are not laughing anymore.

Time will tell how this VPN fares and if it can recover from its mistakes. We have never been enthusiastic about recommending Windscribe. So nothing changes on our end.

There are plenty of other good VPN services to consider using, particularly those that have been implementing “industry best practices” for many years.

About Sven Taylor

Sven Taylor is the lead editor and founder of Restore Privacy, a digital privacy advocacy group. With a passion for digital privacy and accessible information, he created RestorePrivacy to provide you with honest, useful, and up-to-date information about online privacy, security, and related topics.

Reader Interactions

Comments

  1. Kay

    May 15, 2022

    Is Windscribe related to Windstream at all?
    What do you know about Sekur?

    Reply
    • Sven Taylor

      May 16, 2022

      No, I do not think Windscribe is related to Windstream.
      We have not tested or reviewed Sekur, but perhaps later in the year we will. Our recommendations for secure email are here.

      Reply
  2. Naz

    February 26, 2022

    So what Vpn would people recommend now outside of the eyes?

    Reply
    • Sven Taylor

      February 26, 2022

      Here are the ones we recommend.

      Reply
  3. James Macpherson

    February 7, 2022

    that metadata is there on every CA verified cert.
    you can see it if you click on the padlock and click on “My Connection Is Secure”

    the formatting of the information was the issue by the look of it.

    have a look on godaddy. they break down cost. more expensive ones allow for more proofs that the ownere is who they claim to be.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

Digital Privacy Essentials:
Secure Browser
Private Search Engines
Secure Email
Best Password Managers
Secure Messaging Services
Best Ad Blockers
Best VPN Services
Secure Cloud Storage

Privacy & Security Guides:
Privacy Tools
Alternatives to Google Products
Firefox Privacy Modifications
Five Eyes, 9 Eyes, 14 Eyes Spying
Browser Fingerprinting
Is Tor Safe?
Alternatives to Gmail
VPN vs Tor
Alternatives to WhatsApp
Is Your Antivirus Spying on You?
Controlling Communication Channels is Crucial for Privacy
Anonymity Networks: VPNs, Tor, and I2P
How to Really Be Anonymous Online
Private and Anonymous Payments

Secure Email Reviews:
ProtonMail Review
Tutanota Review
Mailfence Review
Mailbox.org Review
Hushmail Review
Posteo Review
Fastmail Review
Runbox Review
CTemplar Review
Temporary Email Services
Encrypted Email

Password Manager Reviews:
Bitwarden Review
LastPass Review
KeePass Review
NordPass Review
Dashlane Review
1Password Review
Best Password Managers

Secure Messaging App Reviews:
Wire Review
Signal Review
Threema Review
Telegram Review
Session Review
Wickr Review

Secure Cloud Storage Reviews
Tresorit Review
MEGA Cloud Review
Sync.com Review
Nextcloud Review
IDrive Review
pCloud Review
SpiderOak Review
NordLocker Review

How To Guides
How to Encrypt Files on Windows
How to Encrypt Email
How to Configure Windows 10 for Privacy
How to use Two-Factor Authentication (2FA)
How to Secure Your Android Device for Privacy
How to Secure Your Home Network
How to Protect Yourself Against Identity Theft
How to Unblock Websites
How to Fix WebRTC Leaks
How to Test Your VPN
How to Hide Your IP Address
How to Create Strong Passwords
How to Really Be Anonymous Online

About RestorePrivacy

Contact

Restore Privacy Checklist

  1. Secure browser: Modified Firefox or Brave
  2. VPN: NordVPN [63% Off Coupon] or Surfshark
  3. Ad blocker: uBlock Origin or AdGuard
  4. Secure email: Mailfence or Tutanota
  5. Secure Messenger: Signal or Threema
  6. Private search engine: MetaGer or Brave
  7. Password manager: NordPass or Bitwarden

About

RestorePrivacy is a digital privacy advocacy group committed to helping people stay safe and secure online. You can support this project through donations, purchasing items through our links (we may earn a commission at no extra cost to you), and sharing this information with others. See our mission here.

We’re available for Press and media inquiries here.

RestorePrivacy is also on Twitter

COPYRIGHT © 2023 RESTORE PRIVACY, LLC · PRIVACY POLICY · TERMS OF USE · CONTACT · SITEMAP