With a Virtual Private Network (VPN) everyone – from a student or a housewife to a Silicon Valley entrepreneur – can take charge of their cybersecurity and make it harder for hackers to steal their sensitive information. But are you truly safe? Can a VPN be hacked?

How does a VPN work?

To figure out whether a VPN can be hacked, we need to understand how it works. Let’s start with the basics – how your device connects to the internet.

When you type a website address into your browser, your request is sent to your router and on to your Internet Service Provider (ISP). The ISP then sends it along to the website’s servers, gets the info you need, and sends it back to you. This is only a simplified version of how the internet works.

However, this isn’t ideal if you care about your security. The router can be vulnerable, especially if you’re on public wifi. Your ISP and website servers can collect a lot of personal information about you such as your IP address, your location, and what you do on the internet. Without a VPN, all that data is out in the open for almost anyone to see. That’s where the VPN comes into play.

VPN flow illustrationA VPN creates a secure tunnel for your data. The information you send to your ISP gets encrypted before even leaving your device, so the ISP can’t see what you’re doing. Your information then travels from the ISP to a VPN server that changes your IP address. Now, the website’s servers won’t see your original IP, instead will be seeing the IP and location of your VPN server.

Can you be hacked when using a VPN?

A VPN is a great tool to protect yourself from snoopers and keep your information safe. But is your data really 100% safe from malicious attackers? Let’s review them step by step.

1. Your Device

Your device may be vulnerableBefore the information leaves your device, it gets encrypted by the VPN app. If anyone manages to snoop on your traffic, all they’ll see is incomprehensible gibberish. They cannot decrypt that information without having an encryption key, which is only available on two devices – yours and the VPN servers. There’s only one way to get your sensitive information at this point – by compromising you or your device.

If you’ve already caught a virus, used a weak password or fell for a social engineering attack, a VPN will not be able to protect you. Hackers will already have access to your device and as a result will be able to see everything you do on it. Double check that you don’t practice bad internet behaviors and if you do, stop them before it’s too late.

2. The encryption

Encryption is your VPN's strong pointIf your device is secure and your VPN is on, your message or inquiry will be encrypted when you send it. One of the only ways to read it now would be by cracking your encryption protocol. However, strong encryption is what makes VPNs so reliable, so it’s not as easy as it might sound.

Sending information over the internet is like sending letters in the mail (but much faster). Anyone who can get their hands on the letters can see who sent them, where they’re going, and can even open them to see what’s inside. To stop snoopers, however, you can invent your own code language. By encrypting your message, it is now useless gibberish to anyone who reads it. The rules you used to change the words are your encryption key, and only someone with the key can change your gibberish back into the original message.

VPN encryption works in a similar way, but with advanced military-grade encryption. The encryption key here is a huge string of characters that are used to scramble and unscramble your data. To find the encryption key, hackers would need to try every possible combination, which is called a brute-force attack. But the AES 256-bit, which is recognized as an industry standard, has so many of them that it would take the most powerful computer about a billion years to find the right key.

3. VPN servers

VPN servers have various security features

The security of your message when it reaches the VPN server can vary significantly depending on your provider. If you’re self-hosting a VPN, then your server is only as secure as you make it. Plus, since your server will usually host a single user (you), you’ll still be quite easy to track online. A free VPN provider may deploy some security tools, but many also monitor users’ traffic. Every premium VPN might deploy different security features, but all of them can be depended on to provide far above-average security.

At this point, the VPN server will decrypt your message and send it to your destination. However, an easy way to ensure end-to-end encryption is by using HTTPS sites. HTTPS forms a separate encrypted connection between your browser and the site you’re visiting. It’s not as powerful as the encryption provided by a premium VPN, but it will keep your connection encrypted after it has left the VPN server.

4. Websites you visit

You must trust who you connect toOnce your data leaves the VPN server to go to the website, it’s again out in the open if you visit websites with unsecure HTTP connection. Even though no one spoofing on the traffic will be able to tie that information back to you that doesn’t mean that you can visit suspicious sites without a worry.

If you fall for a phishing scam and click on a spoofed link, your device can instantly be affected with malware. It will then be overtaken by a hacker and VPN will no longer be able to help you. So when using NordVPN, make sure you turn on Cybersec, which will block ads and dangerous websites.