The 2021 Data Breach: What Happened, What We Learned, and How LimeVPN Is Stronger Today

Addressing the 2021 Data Breach Head-On

In 2021, LimeVPN experienced a data security incident. We believe in complete transparency with our users, which is why we are addressing this directly rather than hoping it fades from memory. Here is what happened, how we responded, and why LimeVPN is more secure today than ever before.

What Happened

In mid-2021, an unauthorized party gained access to a backup server that contained billing system data. This included email addresses and payment information associated with user accounts. The breach was identified and the affected server was immediately taken offline.

What Was NOT Compromised

Critically, no VPN traffic data was exposed — because that data never existed. LimeVPN maintains a strict no-logs policy. We do not store browsing history, connection timestamps, bandwidth usage, DNS queries, or IP address logs. The VPN infrastructure itself was not breached.

Our Immediate Response

Upon discovering the breach, we took immediate action. We shut down the affected server within hours of detection. We notified affected users and recommended password changes. We engaged independent cybersecurity experts to conduct a full forensic investigation. We reported the incident to relevant authorities.

How We Rebuilt From the Ground Up

Rather than patching vulnerabilities, we made the decision to rebuild our entire infrastructure from scratch. Every system was redesigned with security as the primary requirement.

RAM-Only Servers

All LimeVPN servers now operate in RAM-only mode. This means no data is ever written to a physical hard drive. When a server is rebooted, all data is completely wiped. This makes it physically impossible for seized servers to contain any user data.

Enhanced Encryption

We upgraded to AES-256-GCM encryption across all OpenVPN connections and added WireGuard support with ChaCha20 encryption. All connections use perfect forward secrecy with unique session keys.

Infrastructure Security

We implemented hardware security modules (HSMs) for cryptographic key management. Multi-factor authentication is required for all administrative access. Our network is segmented so that a compromise of one system cannot spread to others.

Independent Audits

We now conduct regular independent security audits and penetration testing. Our no-logs policy has been verified by third-party auditors who confirmed that our systems are architecturally incapable of storing user activity logs.

Why This Makes LimeVPN Stronger

Many VPN providers have never been tested by a real security incident. LimeVPN has been through one and came out stronger. Our rebuilt infrastructure incorporates every lesson learned. We are committed to earning and maintaining your trust through transparency, strong security practices, and continuous improvement.

Our Promise

We will continue to operate with a strict no-logs policy. We will maintain RAM-only servers across our entire network. We will conduct regular independent security audits. We will be transparent about any future security incidents. Your privacy is our business — and we take that responsibility seriously.