More than 2.1 million stolen VPN passwords have been compromised by malware in the past year, highlighting a growing risk for unauthorized access to secure networks, according to a Specops Software report.

These passwords, chosen by end users for VPN access, present significant vulnerabilities, potentially allowing hackers to infiltrate corporate systems.

The report noted that despite the strong security of popular VPN services like ProtonVPN, ExpressVPN and NordVPN, more than a million ProtonVPN users had their credentials stolen via malware.

“Attackers are increasingly bypassing direct attacks on VPNs by targeting end users instead,” the report noted.

Cybercriminals exploit weak password practices, phishing attacks and malware to obtain VPN login details. Sophisticated phishing schemes mimic VPN login pages, while keyloggers capture credentials on infected devices.

The research also revealed the most compromised VPN passwords, with predictable patterns such as “12345,” “qwerty” and “password” topping the list.

Even slight variations like “P@ssw0rd” show a weak effort to meet complexity requirements, offering little real protection.

Service-related terms like “protonvpn” and “dyadroid1” also appeared frequently, indicating that some users set their VPN’s name as the password.

The findings highlight the ongoing problem of poor password practices, which continue to expose even secure VPN services to potential breaches through easily guessable credentials.

Patrick Tiquet, vice president of security and architecture at Keeper Security, explained the rise of VPNs in the 1990s, and their surge in use during the COVID-19 pandemic, transformed them into essential tools for remote access.

“However, the discovery of millions of stolen VPN passwords demonstrates a dangerous example of their limitations,” he said.

While VPNs encrypt traffic and mask IP addresses, they can’t prevent attacks like malware infections or phishing.

Tiquet noted this vulnerability underscores that VPNs are not a cure-all for online security, and businesses need to evolve beyond solely relying on VPNs, incorporating additional defenses like remote browser isolation (RBI) to guard against such threats.

He said to prevent cyberattacks stemming from the theft of VPN credentials, organizations should implement multi-factor authentication (MFA) and enforce strict password hygiene.

“Passwords should be at least 16 characters long and include a mix of uppercase and lowercase letters, numbers and special characters,” he added. “Avoid using easily guessable information such as birthdays or common words.”

The Passwordless Push

Traditional VPN technology — especially when reliant on password-based authentication carries significant security risks, including susceptibility to password theft, brute-force attacks and malware exploitation.

In contrast, alternatives such as passwordless, certificate-based authentication and zero-trust network access (ZTNA) models offer superior security by eliminating shared secrets and reducing the potential attack surface, thereby substantially mitigating the risks inherent in conventional VPNs.

Jason Soroko, senior fellow at Sectigo, cautioned that while password hygiene and multi-factor authentication offer some mitigation, they still rely on vulnerable shared secrets.

“Transitioning to passwordless solutions like certificate-based authentication provides a superior defense against credential theft,” he said.

Soroko added organizations can detect compromised VPN credentials by monitoring for unusual login activities, employing breach detection services, and using security tools that alert on credential misuse, though these methods are largely reactive.

Tiquet said conducting an audit of current VPN access logs for unusual activity is crucial.

“Businesses should also segment their networks to minimize the damage potential of a compromised VPN account and apply any available security patches to VPN software,” he said.