For Hola VPN, One Price of Free is Shoddy In-House Security

In the News

For Hola VPN, One Price of Free is Shoddy In-House Security

July 11, 2018

As we have explained in the past, free VPNs are, without exception, too good to be true. Google Chrome users who utilize the free VPN extension Hola and manage their cryptocurrencies with MyEtherWallet were told in a tweet on Monday to move their tokens to new accounts lest they lose their funds—that is, if their funds still existed.

The tweet explained that Hola, the VPN service which claims to serve 159 million users with “secure browsing” for free, became compromised for five hours in a cryptocurrency heist specifically targeting MEW users.

We received a report that suggest Hola chrome extension was hacked for approximately 5 hrs and the attack was logging your activity on MEW.

— MyEtherWallet.com (@myetherwallet) July 10, 2018

According to sources who spoke with TechCrunch, the attack appeared to originate from a Russian IP address.

The following day, Hola posted a blog detailing the attack; they explained that hackers compromised the company’s Google Chrome Store account, whereupon the perpetrator uploaded a fake version of the extension rigged with a JavaScript injection. The rogue app re-directed all MEW users who were not using incognito mode to the hacker’s counterfeit phishing website aimed to garner information about MEW accounts. Hola told users they secured their Chrome Store account and replaced the fake app with a legitimate version, but not before the hackers got away with an unknown, untraceable amount of digital coinage.

Hola went on to perform a bit of victim blaming with the declaration, “We will work with MEW and others in the ecosystem on standards that will make Crypto wallets safer from these forms of attacks.” A not-so-subtle suggestion that the online wallets were responsible for Hola’s inability to safeguard their own Chrome Store account.

Such rhetoric feels on par with a company who injects ads into browsers and sells its userbase’s bandwidth to enable its own botnet.

MEW also makes it abundantly clear they absolve themselves of accountability to their users, reminding people they are not a bank, and when a user visits the site, a pop-up warns, “You and only you are responsible for your security.”


Netizens should take this experience to heart; users who arm themselves against phishers and scammers—as well as invest in a reputable VPN service who likewise invests in user privacy and security—are much better equipped to avoid becoming a future casualty of cyber marauders.

30-Day Money-Back Guarantee

Get VyprVPN Now