The seizure by the Ukrainian government has prompted the company to promise better security in the future.
Windscribe, a popular VPN based in Canada, has recently suffered a major security breach. Ukrainian authorities seized Windscribe servers and also obtained Windscribe’s private key. The private key is a critical component, as it allows them to decrypt traffic from Windscribe users.
Windscribe staff has admitted they failed to properly encrypt their servers. They say they are in the process of updating VPN infrastructure to “follow industry best practices.”
The Ontario, Canada-based company said earlier this month that two servers in Ukraine were seized as part of an investigation into activity from a year earlier.
The servers ran the OpenVPN virtual private network software. They used a setting that they had deprecated in 2018 after security research revealed vulnerabilities that could allow adversaries to decrypt data.
From the Director: a promise to do better
Windscribe Director Yegor Sak described in a blog post the steps his company is taking to improve. “We’re sunsetting (discontinuing) our current OpenVPN certificate authority in favor of a brand new one that follows industry best practices.”
Sak has also been very candid and open about accepting blame for the breach. “Security measures that should have been in place were not,” he admits. “This should not have happened and we understand that it hurts the trust you all have placed in us.”
However, he hastens to add that “No user data was or is at risk.”
“We will have a third party assessment completed to validate that our next-gen server stack and provisioning system is sound,” Sak promises.
“We want to guarantee that our service delivers on all of the promises that we make by virtue of being a VPN provider.”