Hackers have leaked more than 900 VPN passwords

It’s been reported that a hacker has published a list of over 900 plaintext usernames and passwords of Pulse Secure VPN enterprise servers – as well as IP addresses – to a Russian-speaking hacker forum that is frequented by multiple ransomware gangs.

Tech reporting company, ZDNet, obtained an exclusive copy of the list with the help of threat intelligence firm KELA and verified its authenticity with multiple sources in the cyber-security community.

The published list includes:

~ The IP addresses of the Pulse Secure VPN servers

~ The last VPN logins – which includes usernames and cleartext passwords

~ A list of all local users and their password hashes

~ Admin account details

~ Pulse Secure VPN server firmware version

~ SSH keys for each server

~ VPN session cookies

The list was spotted by Bank Security, a threat intelligence analyst that specializes in financial crime. It was noted by the security researcher that all of the Pulse Secure VPN servers included in the list were running a firmware version vulnerable to the 2019 CVE-2019-11510 vulnerability which description reads as – In Pulse Secure Plus Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability.

It is believed that the hacker who compiled this list did so by scanning the entire internet IPv4 address space for Pulse Secure VPN servers. They then used an exploit for the CVE-2019-11510 vulnerability in order to gain access to the systems and obtain the security details.


Pulse Secure VPN servers are usually used to allow staff to connect remotely to internal company applications.

Compromised systems allow hackers easy access to a company’s network.

It is important for companies to immediately patch any affected Pulse Secure servers.

It is equally important that those companies then change their passwords.

We previously wrote about how important it is to have a lengthy password. Please read our previous article here: https://rhynonetworks.com/are-you-following-the-new-password-guidelines/

These actions are imperative for company protection, as many of the gangs that have access to this data tend to deploy their ransomware and then demand huge ransom amounts in order for companies to have access to their files again.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648