Did ExpressVPN leak my credit card info?

… [deleted]

I haven’t thought of any other plausible explanations, but perhaps there’s something I’ve missed here?


Seems like a reasonable assumption to make. I wouldn’t be surprised. Many companies leak our credit card information without anyone ever noticing. Could another possibility be that privacy.com leaked your information, even though they may not be aware of it? :thinking:


That’s an excellent point (and one I hadn’t considered). It could be the case, although I would be surprised if only one card was affected. It would additionally be a pretty bad target for credit card fraud, since all the cards are locked to single merchants. But the possibility is worth an amendment to the article.

I don’t think this is all to likely. It would mean that ExpressVPN stores all credit card data themselves. That’s quite unusual. If you want to store such data you need to be compliant with PCI DSS which is heavily (self)regulated by the payment industry.

Non-compliance basically would mean you get banned from all major credit card providers.

It is far more likely that ExpressVPN used a payment service provider. This in order to transfer the risk to that provider who specializes in transactions. If so the impact could potentially be much larger.

Looking at the website of ExpressVPN as of right now they seem to be using Braintree as payment service provider as well as loaded objects of Chargebee and PayPal. Therefore I find it highly unlikely that ExpressVPN stores the creditcard data themselves. It would frankly be quite stupid to do so.

One small detail I forgot to clarify. Such payment service providers do not give merchants access to the creditcard data. Only last 4 digits are commonly shown and the card holder name if anything at all.

1 Like

On the title that is been shown as “Sq beautycounter” this is very interesting. I once tried to figure out how these titles are set at some banks. Many banks don’t show nice titles of the vendor but rather the strange messy string configured in the payment terminal.

I noticed that most neobanks (and seemingly also privacy.com) use different discriptors that are much more clean. I once asked whether these titles are something they have programed themselves as I have noticed quite a few times that they were incorrectly assigned and also in cases where I am 90% certain that the merchant did not configure it like this themselves.

I never really got hold of what is actually going on there but this triggered it again. My kind of assumption is that those titles are configured by either AI or some cheap third party contractor (probably in India (no offense)) based on crrtain parameters. Obviously that could explain why you and I have both see inconstancies in naming. That I find a much more believable story. And this is really the fault of the neobanks who chose to do business with such data labeling companies. It’s up for error and inconsistency in the name of customer experience.

Nevertheless of my theory, probably best to freeze your card. However please be aware that in most (at least western) jurisdictions it is their risk and not yours.

With all my commenting here I want to address that I think you draw conclusions without knowing all the details. It’s good that you signal and alert people about possible fraud but know that there are many aspects and possible causes. I warn not to draw such conclusions early on.

1 Like

Thank you for your well thought out responses. The explanations you allude to of a payment service provider having some sort of breach seem much more likely.

You’re absolutely right, I was drawing a premature conclusion, and I failed to consider some important context. I’ve taken down the article in light of this.

Additionally, thanks for the concern—the card in question was closed shortly after the initial charge.

1 Like

Well they did leak your dns https://www.expressvpn.com/blog/windows-app-dns-requests/