The hackers leveraged a zero day flaw in WHMCS to access customers' names and e-mail addresses.
Customers of VPN provider PureVPN recently began receiving e-mails stating that the company was shutting down due to legal issues -- but PureVPN quickly announced that the e-mails were fake, and had been sent by hackers who had accessed customers' names and e-mail addresses (h/t Softpedia).
In a blog post on October 6th, PureVPN co-founder Uzair Gadit explained, "We are NOT closing down nor do we have outstanding legal issues of any sort. We have neither been contacted by any authorities nor we store our user's personal data to share with anyone."
Later the same day, Gadit added, "Preliminary reports suggest that we are hit with a zero day exploit, found in WHMCS; 3rd party CRM that we use on our website: http://blog.whmcs.com/?t=79427 We are able to confirm that the breach is limited to a subset of registered users Email IDs and names."
Gadit also stated that no credit card data or other sensitive personal information was compromised, and wrote, "We deeply regret this compromise and apologize with our valued users. We further believe we'll learn from our mistakes and grow even stronger. Once the investigation report is out, we'll be announcing compensation for the affected users."
Photo courtesy of Shutterstock.