Hotspot Shield VPN Full Review 2024: Narrowly Misses a Spot Among the Greats

In conducting our review of Hotspot Shield, our findings tell us that this VPN service could have been among our top three best VPNs for 2024. It performs well in terms of speed and other metrics but not so much on keeping things to itself, which is what we pay VPNs to do. You know those scams where you are told you are earning money that will never be anything but numbers on a screen?

Well, when a VPN is tracking, logging, and selling customers’ information to third parties, the whole concept of a Virtual Private Network becomes an illusion, like the ‘earnings’ from those scams or like a ‘moo point.’

A ‘moo point?’ You ask bewildered (unless you watched Friends).

Yes. A moo point is like a cow’s opinion. It just doesn’t matter. It’s ‘moo.’ Hotspot Shield can ask you to trust them to keep you safe online, but that doesn’t mean you should—especially not when the people you are trying to hide from can see everything.

To be fair, Hotspot Shield has cleaned up its act since the complaints emerged and has actually done quite well, so much so that this review is necessary, to paint a complete picture.

Hotspot Shield is fast, reliable, and easy to use. It comes with three apps—1Password, Identity Guard, and Robo Shield (the names of these apps may vary depending on geographical locations)—provides round-the-clock customer support, and P2P support.

Hotspot Shield is also one of the few VPNs that work in China. 

In this review, we are going to examine every pertinent piece of information about Hotspot Shield’s performance and usability, so you can make an informed choice and find out if this is the one for you, as well as address the privacy and security concerns.

TLDR? Here are some facts to get you started on your VPN search:

• Extensive network – The VPN boasts a large user base of 650 million users and with servers in more than 80 countries, speedy connections abound to help users unblock streaming services, download files safely, and even support torrent downloads.
• Speed – Hotspot Shield is one of the fastest VPNs we have seen (delivering over 400Mbps over short distances and 60 Mbps on congested servers)
• Streaming – You can use Hotspot Shield to unblock Netflix, iPlayer, Prime Video, and Disney+ streaming.
• Security – There are three extra apps for a holistic security approach. The company is also tightening security and cleaning up its logging practices.
• Kill Switch Capability – The automated kill switch doesn’t buckle and is certainly a welcome feature. Unfortunately, it’s only available on the Windows and Android applications.
• Free Version – There’s a free version but it is highly monetized (targeted ads), throttled, and limited to 500MBs per day.
• Onion over VPN (Tor) is supported, to allow extra layers of security for those who would like to keep their activities online hidden.

Next, we’ll delve into performance details, learn how to set up Hotspot Shield, and figure out if this is a good VPN for you.

Yes! Hotspot Shield provides a free version, with limited functionality and ads (of course), as well as a 7-day free trial of their premium VPN service. For the free trial, you can cancel your account at any time during the 7 days or get automatically signed up to a full-time premium subscription. During the free trial period, you will not be limited in any way and will be allowed access to all the features that premium users get.

There is no data cap on the 7-day trial you get, which allows you to run all sorts of tests before making a commitment. 

Hotspot Shield claims to be the fastest VPN for streaming and gaming. But which platforms are we exactly talking about here and in what quality? We’ve reached out to one of our industry experts, Raeesa Essop, who has a strong background in digital signal processing to conduct detailed testing of Hotspot Shield’s overall performance.

According to Raeesa, Hotspot Shield offers the lowest latencies, but loses out in terms of download and upload speeds when compared to Surfshark. Read more about the tests performed to understand how our expert reached her verdict by clicking here to navigate to the conclusion of our review. 

It is worth noting that streaming services are not exactly on board with VPNs making content available to everyone like this. They have come down hard on many services over the years. However, Hotspot Shield stands out as one of the best VPNs for Netflix. Regional controls will not stand in your way when you have Hotspot Shield.

Even so, Hotspot Shield performs as well as other top-tier VPNs when it comes to streaming and does not seem to have run into significant problems with streaming platforms. You can unblock major streaming platforms like Netflix, Hulu, Disney+, Amazon Prime Video, BBC iPlayer Twitch, HBO Max, Apple TV+, Showtime, Paramount+, Peacock, as well as new entries and lesser-known ones like Vudu, Crunchyroll, Discovery+, ESPN, ITV, AT&T TV, IPTV, Sling TV, Kodi, fuboTV, beIN Sports, Sky Go, Channel 4 UK, Zattoo, Crackle, Hotstar, Locast, M6 France on 6play, ORF, DStv Africa, CBC live, Spotify, Pandora radio and more.

For most of these streaming platforms, you will be required to have a separate account for each one, to access the content posted there. Hotspot Shield only helps you unlock content that is geographically tied to specific locations.

NOTE: Sometimes, you may be blocked from viewing content on one server, but then you can switch to another one. Hotspot Shield will recommend a location that works for streaming and even games. 

You’d be pleased to know that if you use Kodi (the media player) for your TV or desktop, Hotspot Shield supports configuration for it.

You can use Hotspot Shield for torrenting since it supports the service with unlimited bandwidth (the upload and download speeds are excellent) and shared IP addresses. The service is recommended for use with uTorrent and BitTorrent.

Hotspot Shield security will mask your IP address and keep P2P activities away from the prying eyes of your ISP. Compared to what other VPNs offer, Hotspot Shield stands out as a great VPN for torrents, with details included in the Help Center to aid your usage. 

Hotspot Shield is compatible with a lot of devices and platforms. As we mentioned, you can use it on Windows, macOS, Android, iOS, Fire Stick, Linux devices, and Android TVs. From what it says on their support article on Hotspot Shield’s supported devices, you can even use it on routers running FreshTomato, GL.iNet, Asuswrt, and DD-WRT.

The site’s support page indicates that the developers of the VPN are working to make it compatible with more devices.

When it comes to coverage, Hotspot Shield has a fleet of over 1800 servers in 80+ countries and over 35 major cities across the globe.

We looked at the Hotspot Shield server locations available and found sufficient coverage, spanning the Americans, Europe, Asia Pacific, the Middle East, and Africa. The network is incredibly reliable, even when connected to servers far away from your actual physical location.

Since ISPs can tell when you are using a VPN to route traffic, it is always a comfort to know that a VPN provider has obfuscated servers, which keep the eyes of your ISP away from your activity. Hotspot Shield provides this by default, enhancing the level of security.

On the Hotspot Shield network, users get access to the provider’s private DNS server, over a fully encrypted connection to avoid information logging when you’re online.

Hotspot Shield does not provide a dedicated/static IP to users. They are, instead, connected to the most suitable IP address available at the time of making a connection. 

Hotspot Shield has servers in over 80 countries. ExpressVPN provides about 94 countries in comparison, meaning Hotspot Shield’s network is extensive enough. Sadly, there are no RAM-only servers in the network. Only hardware servers are used and only 90% of the server fleet is physically located where it appears to be on a map. 

The more servers a VPN has, the easier it is to spoof your location, and speeds become significantly improved if you connect to a nearby server.

The variety provided by Hotspot Shield is commendable. It has servers in four African countries and across South America, locations that most VPN providers tend to ignore.

In addition to that, Hotspot Shield has a presence in countries under repressive regimes like Turkey, Russia, China, and Vietnam. At 1,800+ servers in total, Hotspot Shield has a respectable network server density. In comparison to a heavy hitter like CyberGhost though, which has over 6,800 servers, Hotspot Shield is a rookie but it sure can punch above its weight comfortably.

The VPN is not very clear on how much of its network of servers is composed of virtual servers that only appear to be somewhere even if they are not. It is important that people know what they are being offered and Hotspot Shield says that only 90% of the servers are physically located where they appear to be on a map. 

We’ve been through how it performs and we’ve seen that there’s a lot that we can, potentially, do with Hotspot Shield. But, more importantly, will it even work properly on your device? Will you cringe every time you see a poorly-designed user interface, which we see all too often recently, or is it so pleasing that it will make you want to use Hotspot Shield out of pure joy? Let’s find out from the UI/UX expert!

But wait, there’s more! You can find our UI/UX expert’s research in the conclusion of our review. We promise it’ll be worth taking a minute, or several, to read.

Hotspot Shield is compatible with most devices and provides dedicated apps for Android, iOS, Windows, macOS, some Linux distributions, and even Amazon Fire TV. 

• Android and iOS

Even though the Android version seems to be better than the iOS version, both apps need some upgrades. Android users of Hotspot Shield can enable a kill switch, which protects traffic. iOS users don’t have that or the automatic connection when they turn on their devices.

Both versions are missing features. For instance, they both don’t support the IKEv2 protocol.

It is not easy to connect to a server that is optimal for your location on both apps. It has been a while since they had any updates and we can’t say for sure when this will change.  

To be fair though, both apps have what you need to connect to the internet safely so, at bare minimums, they do what they should. Note that you can run Hotspot Shield only on Android 5.0 and later, and iOS 12.0 and later.

• Windows, Mac, and Linux

On Windows and Mac, Hotspot Shield has a very clear and accessible dashboard. Navigation is simple, with options for just about everything you want a VPN to have. Clicking on ‘Connect to VPN’ will have you online and secure in 2-3 seconds (this is a faster connection than many of its peers).

After you connect, you will see, to your left, the options. They include:

• The home button
• Speed test
• Account
• Aura’s apps (in premium)
• An ‘About Us’ page
• Support
• Settings

With these, you can navigate to anything you need.

The interface itself is visually superb, displaying the server location, latency, IP address, transfer speed, load times, local network, and data usage. The information is not overwhelming and can be taken in with just one look.

If you are a versatile user familiar with tech, you will find the more technical side of Hotspot Shield in the settings. Even new users won’t have trouble turning features on or off. In settings, you have options like automated connections when on public networks or exclusions for the traffic you don’t want.  

To connect on Linux Ubuntu, Debian, CentOS, and Fedora, you will need to use a command-line procedure outlined in their guide on how to install Hotspot Shield VPN on Linux. 

• TV

The setup on this one is easy if you have an Android TV since you can get it from the Google Play Store. On an Amazon Fire Stick, which you will find in the Amazon store, download it and log in. After that, all you need to do is open it and connect it to the location of your choice. 

Do your devices work with Hotspot Shield? Fortunately, we are going to tell you which kinds of devices are actually compatible with the VPN. This includes PC platforms, mobile platforms, TV platforms, routers, and browsers. 

• Some of the routers will need more than the Hotspot Shield app to run. Manual installation guides are provided to aid in the process.
• The Kill Switch feature is available and can be turned on and off on Windows and Android. On iOS, however, there is only an ‘insecure connections’ notification when you are connected to an insecure network, so you can manually turn it off. There is no kill switch in the browser extensions for any platforms.
• Split-tunneling is available through the SmartVPN feature on Windows and Android. It is not clear if the same feature is available on any of the other listed platforms and devices.
• There is a ‘Connect’ button when you launch the app on any device for quick connectivity with one click or tap.

Typically, Hotspot Shield is provided to users with additional software. Though the names of the services could differ depending on geographical location, they consist of an antivirus, a spam call blocker, and a password manager.

The formula is the same for most VPNs. A Chrome extension is provided for Hotspot Shield, which can be used on other browsers built using Chromium. They include Vivaldi, Brave, Edge, Epic Privacy, Torch, Comodo Dragon, and more.

A simple search for the Hotspot Shield extension will show you results for Chrome Web Store, where the extension is found.

The first time you open the app after installation, this is what you’ll see:

It is easy enough to connect to the VPN. You just click on the big button, which looks like this when connected:

This is the home dashboard. It shows you information about the location of the server you’re connected to on a map, where it is on the map, your network name, the peak speeds, and data used while connected to the VPN. To disconnect from it, click on the blue button with a white square.

On the left, you have icons to navigate to various settings and information:

Hotspot Shield includes a speed test tool, access to your account details, information about Aura (the parent company of HSS), information about this VPN, access to support, and settings.

Once in the settings, this is what you’ll see:

From here, you can change settings to whatever is convenient for you, check out advanced settings, and learn how to navigate with shortcuts, among other features. They are well-labeled and easy to use since turning them on or off simply takes one click.

Security is where Hotspot Shield seems to hit a snag, but we are going to make it simple to understand. The thing about cybersecurity is that there are many factors that influence how “secure” or how “safe” a VPN is—and this also depends on what you’re planning to do with your VPN! We know our stuff when it comes to VPNs, but nothing will be better than an overview from a real cybersecurity professional. So, we interviewed Jason Alexander, an industry expert, to get the whole picture when considering the security aspect of a virtual private network.

Read more about Jason Alexander’s expert review and research at the bottom of this review!

To begin with, its logging policies have been questionable in the past and we were interested to see if any of that had changed. The reason why Hotspot Shield comes under fire on the privacy issues is because of a 2016 analysis of privacy and security risks of Android VPN apps, which shed some light on the company’s activities, some of which undermined privacy greatly. In 2017, a complaint of a similar nature to what was in the report was filed with the Federal Trade Commission (FTC) by the Center for Democracy and Technology.

In the beginning, this product was owned by a Swiss-based company called Anchor-Free. In 2019, however, Hotspot Shield became part of a new company called Pango, which was later bought by a US-based company called Aura.

Most VPNs have their headquarters outside of countries belonging to the Five Eyes alliance, of which the US is a member, and use that as a selling point for their services. Since Aura is US-based, it stands to reason that users would be wary about the implied international intelligence collection the alliance is tasked with.

To be fair, the Five Eyes alliance is only a threat if a company keeps logs, which is why Hotspot Shield came under fire for its logging policies, with accusations that it may have been collecting data that could identify users.

Since the issues came to light, the company has been working hard to clean up its privacy policies and now claims that it doesn’t log IP addresses at all. However, it is worth noting that the company logs the real IP address when users are connected, which it then deletes at the end of each session.

The VPN also logs:

• Email address and username
• Your unique Mobile ID number
• Hardware model
• The device OS
• Language
• “Network information”

There’s something about the vagueness of words like “network information” that security experts do not like. In addition to that, we would not recommend the free version of Hotspot Shield, since it may share the following information with third-party advertisers:

• Your city-level location
• Wireless carrier
• IMEI number (unique mobile ID)
• Unique advertising ID
•  MAC address

On the free version, the kind of information collected is enough to identify you as an individual, making it all but useless as a VPN.

So, what kind of Hotspot Shield security can premium users expect?

1.       The Catapult Hydra Protocol

For a name as cool-sounding as that, you’d think you’re getting all the bang your buck can muster… and, you will be. However, some users prefer the inherent security that comes with open-source security solutions that are open to review, instead of proprietary protocols like Catapult Hydra.

However, if you are looking to feel safe, the protocol is used by McAfee, Bitdefender, and other brands that are firmly in the business of privacy. To be honest, the Catapult Hydra Protocol brings some kick to the performance of this VPN. 

2.       Encryption

Hotspot Shield’s security is inspired by the SDP (software-defined perimeter) model, developed originally by the US Department of Defense. It supports both 128-Bit AES and 256-bit AES encryption. The VPN uses 128-bit AES encryption as the standard.

On the website’s support pages, the VPN mentioned the fun fact that it would take nearly 14 billion years to crack 128-bit AES encryption with current computer capabilities. What they don’t mention is that this fun fact doesn’t matter if you just open the door to advertisers and governments. 

3.       The Kill Switch

This feature works on Android and Windows to stop your internet connection if the VPN loses connection. The feature is enabled by default when you install the VPN. You can switch it on and off in Settings> Advanced.

4.       Auto-Protect

Are you worried about connecting to public Wi-Fi and getting your stuff stolen? Well, Hotspot Shield has your back and will connect automatically when you connect to public networks.

5.       IP Leak Prevention

Hotspot Shield has a built-in DNS leak protection feature. It is enabled by default but can be turned on or off by the user.

While testing for leaks, we learned that the VPN does not guarantee leak protection for IPv6 or WebRTC. From what we could find out from existing users, sometimes, there are IPv6 leaks and sometimes it works just fine. To be on the safe side, if you are paranoid about that kind of thing, you can disable IPv6 and WebRTC.

6.       Smart VPN

This feature is a fairly new addition to Hotspot Shield. It is a split tunneling option that can help you bypass the VPN for some apps and websites that you do not want to be affected by the perceived locations you pick for your other activities.

Did we come down too hard on Hotspot Shield for its security faults of the past?

You have to be able to trust a VPN service and ,since this Hotspot Shield broke that trust, we have to be thorough. By all indications, it seems that a lot has changed for the better since the complaints were filed and the VPN changed ownership.

A VPN, such as Hotspot Shield in this case, can be relatively secure for general purpose uses that include browsing, streaming, torrenting, gaming, etc. In other words, you may be protected from hackers trying to intercept your sensitive information. However, what about the VPN company themselves? Can we trust them with our data? And what data do they actually have on us? A Regulatory Lawyer, Gillian Carrington, gave us her professional opinion on what logs are kept by Hotspot Shield as a company, as well as a few pros and cons of their Privacy Policy.

Read more on what our Legal expert found when she analyzed Hotspot Shield’s Privacy Policy in the conclusion of this review. 

This sounds good and all, but what about their customer support? Can you trust them to be there after you’ve purchased a subscription?

For new users, Hotspot Shield has tutorials and a detailed FAQ section. The material is accessible to everyone, including users of the free version. Premium users can make use of the 24/7 live chat feature and the option to send an email using the form in the support section of the website. 

The live chat feature uses a chatbot, which can be frustrating when you have a complex problem a chatbot can’t figure out. The email system is much better if you have a query that isn’t as straightforward as an FAQ. The chatbot can be bypassed if you tell it you want to speak to an actual person. 

The email option (support@hotspotshield.com) is much better since it doesn’t use bots. Talking to real people for support is a great option and Hotspot Shield does not seem to have trouble answering questions. The customer service representatives are knowledgeable and friendly, which makes walking you through challenges an easy task.

A VPN is, after all, a service. So it makes sense that a company owns it and relies on profits earned. Trusting someone with your personal data, and your money, while you know absolutely nothing about them sounds scary. That is why we’ve asked a Business Consultant to give us some insights into Hotspot Shield’s background, operations, and more.

To find out more about Hotspot Shield as a for-profit organization, please see our expert’s review in the conclusion.

To validate our review of Hotspot Shield’s pricing plans, we’ve had an Economist, Brendan Filipovski, provide his professional opinion. 

If you would like to know more about how our expert came to the above conclusion, see their complete review in our conclusion!

Hotspot Shield offers a monthly plan and a yearly plan. For the yearly plan, the Premium package ends up costing $7.99 a month and $11.99 a month for Premium Family. The yearly plan is cheaper than the monthly one, as most VPN plans tend to be. There is also a free plan. The free plan is not worth much, considering the information collected on it (which can identify you) and the fact that it is paid for by ads.

The monthly plan is for users who aren’t planning to use the VPN for long or only use it periodically. The rates for Hotspot Shield’s monthly plan are $12.99 per month for Premium and $19.99 per month for Premium Family. 

In addition to the VPN, you also get a spam call blocker and a password manager. 

These additional services bundled into the VPN are different in some places. For instance, where we saw ‘Password Manager,’ some people get 1Password. For users outside Canada and the US, the spam call blocker is replaced by Hiya. 

With the premium subscription, you are allowed to connect up to five simultaneous connections, with no limits on data. For the Premium Family package, you can connect up to 25 devices across five-member accounts. Naturally, the latter option costs a little more.

• The Catapult Hydra Protocol is an added advantage for users since it significantly improves speeds compared to other VPNs that use open-source options.
• The free version provides users with a data limit of 500MB per day, where others like TunnelBear provide the same for a whole month.
• You get split-tunneling by domain, in addition to the solid services bundle.

• Check if DNS queries are intercepted and changed.

ISP configuration: 

Primary Server: SYS-192.168.0.1

Secondary server: IAfrica-2 ZA –  196.7.142.132

Tertiary server: MTN-2 ZA – 209.212.97.1

Namebench was used to run a benchmark test assessing the available ISP DNS servers. It indicated that the ISP was not intercepting and redirecting outgoing DNS requests.

No reports of NXDOMAIN hijacking turned up from the Namebench test. This was further tested with a dig test on an IP address where no DNS server is running. Just to test if any false results occurred. There was no response. This indicates no interception/falsified results for the ISP.

VPN – Server Chosen: United States

Namebench was used to assess the VPN assigned DNS, which indicated that the server was indeed intercepting traffic:

The dig command was used to check if a DNS lookup to an authoritative nameserver produced an authoritative reply. It did not reproduce an authoritative reply. This displays DNS interceptions:
The dig command was used to further indicate falsified results when requesting a non-existent host, rather than the response merely timing out. If the user makes any typos when searching for a URL, the VPN will most likely display some type of advert, etc. 

Some non-existent domain names were used and adverts to purchase these pop-ups rather than the typical timeout message. They were all from Register.it. 

• Check if the certificate presented on HTTPS queries is the correct one.

Curl/gitbash was used to make requests. The certificate details of 4 popular websites were queried with both the ISP and VPN.

Certificate details were compared between the two results for each website and by manually checking certificate details. These details include ‘issuer’, start and expiration dates, and the CN.

All certificate information matched.

• Check if running HTTPS queries against a collection of websites, by using different VPNs, yields different HTTP responses. 

Websites used:

• Facebook.com
• Paypal.com
• YouTube.com
• Netflix.com, Etsy.com
• Amazon.com

Curl/gitbash was used to make HTTP requests.

Response headers were used for comparison.

Observations:

For 3 websites, there were several ‘set-cookie’ headers that weren’t present when using the ISP. The ‘set-cookie’ headers that involved language and location would correctly reflect the VPN exit node chosen.

Some headers that used location and language (apart from the ‘set-cookie’ ones) would reflect the correct location. That is the same one as the exit node chosen.

PayPal and Facebook had security policies that were not present when using the ISP. Nothing out of the ordinary or suspicious was observed.

• Compare information from inside and outside the VPN from the same DNS server and compare the answer.

Google Public DNS-2 (8.8.4.4) was used when testing the ISP and VPN performance.

The ISP setup stated above was deemed the fastest.

Performance was not enhanced for the ISP according to the Namebench test that was run again. No DNS interception took place.

The Namebench test done for the VPN using the public DNS server still exhibited the same results. DNS intercepts were still taking place. This was further confirmed using the dig and nslookup tests.

• How many servers?

 1,800+ servers in 80+ countries — including 35+ cities around the world

•   How many servers in which geography (country and continent)?

Servers in:

16 countries in North and South America (27 cities in the USA, 4 cities in Canada)

48 countries in Europe (2 cities in the UK, 2 cities in Spain, 3 cities in Italy, 2 cities in France)

28 countries in the Asia Pacific (6 different cities in Australia)

7 countries in the Middle East and Africa

•  What type of servers?

Hotspot Shield uses a mixture of virtual and physical servers. Actual server details such as OS or any hardware specs were not found. They are also not open about which servers are virtual and physical.

• What technology stack (e.g., what programming languages and technologies are used in running the VPN infrastructure)?

Hotspot Shield has created their very own VPN protocol referred to as ‘Catapult Hydra’. It claims that this proprietary protocol is what increases the download speed over long distances. Ookla Speedtest even claims that the speeds were increased by over 26% when using this protocol. It may in fact be the most noteworthy thing about this VPN.

They also offer the option of using the IKEv2/IPsec VPN protocol.

• In which data centers are the servers hosted? How is the distribution of server hosting (e.g., is it clustered, meaning almost all servers with one data center provider, or is it spread out using a multitude of server providers in a country)?

The majority of countries that have servers have only one location associated. US and Australia have several locations. These were checked to see what data centers/cloud solutions/IT infrastructure/colocation etc. were being used (checked using IPlocation.net and Domain Tools).

US Servers:

• Atlanta – Quadranet Enterprises LLC
• Boston – Charles River Operation
• Charlotte – h4y Technologies LLC
• Chicago – Eonix Corporation
• Columbus – Madeit Inc.
• Dallas – Maxihost LLC
• Denver – Sharktec
• Houston – The Optimal Link Corporation
• Indianapolis – Unlimited Net LLC
• Kansas City – Wholesale Internet Inc.
• Las Vegas – Vegasnap LLC
• Los Angeles – Maxihost LLC
• Miami – Quadranet Enterprises LLC
• New Jersey – Gthost
• New York – 24 Shells

Australia Servers:

• Adelaide – Intergrid Group Pty Ltd
• Brisbane – Intergrid Group Pty Ltd
• Melbourne – Intergrid Group Pty Ltd
• Perth – Intergrid Group Pty Ltd
• Sydney – Maxihost LLC (possibly a virtual server)

There are quite a variety of providers across the United States. Australia is more homogeneous using mostly Intergrid Group Pty Ltd.

•  Perform speed tests for 23 different VPN exit nodes while connecting to the “best & fastest” Speedtest server.

Base speed (ISP):

The protocol chosen was: Hydra

Connection: single 

USA

Germany

Japan

United Kingdom

France

Brazil

Canada

Portugal

Italy

South Korea

Spain

Australia

Indonesia

Turkey

Russia

Mexico

India

United Arab Emirates

Malaysia

South Africa

Latvia

• Speed test performance for 5 different servers ( one close to the VPN server, one in the next big city, one at the other side of the country, one in another major city on another continent, pick another interesting one). Ping, Download, Upload? Any surprises?

Most of the servers at any given time were at 30-40% capacity.

Most of the servers exhibited an increase in latency with an increase in distance. Three out of the five tested servers had better upload rates than download rates. These rates oscillated at the same value over the five different locations. The download rates for these servers were on average 17-50% of the upload rates.

The Latvian server had above-average upload rates when compared to the other servers. It was at a capacity of 31% at the time of testing.

The optimized servers (as chosen by Ookla) didn’t always perform the best. Perhaps the shared IP of the server shows a location that is slightly different from the actual location of the server. However, the latency was always lowest when using the optimized server which would indicate it is the closest available one.

• Check the traceroutes for these tested servers.

All traceroute tests used ‘google.com’ to check the route of the traffic.

Routing locations were determined using IP lookup. 

ISP used 10 hops with a maximum of 33ms per hop.

• UK Server: 9 hops with ping latency on average being 190 ms.
• Italy Server: 15 hops with ping latency on average being 220ms.
• Spain Server: 9 hops with ping latency on average being 220ms.
• France Server: 15 hops with ping latency on average being 200ms.
• Latvia Server: 9 hops with ping latency on average being 180ms.

The majority of the nodes did not respond. Most timed out giving little information as to the location of the routed traffic. There is no firewall active on the base PC and the ISP shows information at every node. This might be due to the protocol being used. However, the VPN doesn’t allow for a different protocol to be used/tested.

• If there are special setups like double hop VPNs, how do they perform?

The VPN has few extra features. The most noteworthy aspect to test would be the Hydra Protocol. This protocol was chosen by default and all tests were already run using it. 

When trying to use the IKEv2(IPsec) protocol, none of the servers were able to connect. They would show an error message and remain disconnected. This is a new feature that they offer and may need a few iterations before it works properly.

There are designated servers for streaming, gaming and browsing. 

The US server for browsing had poor performance when compared to the other American servers available.

The streaming server did not have a good download rate as would be expected of a server dedicated to this purpose. It showed a rate of 2.98Mbps. This was at a server capacity of 41%.

The gaming server did not have a latency of less than 200ms which may make a lot of games unfeasible to play if the user is in the same location as the tester.

The split tunneling feature worked seamlessly when tested for several local websites that will often block international traffic.

• Are you able to watch the streams in the following quality?

YouTube

Netflix

• What VPN protocol is in use?

Catapult Hydra was the selected protocol, but it is not open-source. The protocols that were used would not come up as this unique protocol but maybe as other ones that Hydra is based on/makes use of.

Some of the protocols that showed up were TCP, UDP, SSDP, and TLSv1.2.

• Can you see any traffic not being transmitted via the VPN tunnel?

No, as the split tunneling feature was turned off.

•   Can you see any DNS traffic in the packet capture?

No.

Using the website Browserleaks, answer the following questions. Take screenshots and highlight out of the ordinary results.

• Does your IP location information match the requested VPN location?

Yes.

• What is your connection type? 

Residential.

• Are there any IPv6 Leaks? 

No IPv6 leaks detected.

• Are there any DNS leaks? 

There were no DNS leaks to the local ISP. However, a vast list of all DNS servers in several locations was detected.

• Are there any WebRTC leaks? 

No, the actual IP was not disclosed. It oddly showed an IP related to Switzerland, however.

• What’s the Design Style? 

Flat with Skeuomorphism shapes, e.g., a shield for the logo. Icons are flat and minimalistic outlines. 

• What feeling does the design convey? 

Very serious and simple. There is very little color.

•  What’s the color scheme, i.e., primary colors, secondary colors, hexacodes?

Mostly #ffffff (white) and #141414 (dark gray, nearly black), with accents of #2ca2f7 (bright blue) and #8e8e8e (gray). Most buttons are #8e8e8e (gray) and then #ffffff (white) on hover, or black with white and #2ca2f7 (bright blue) accents… These secondary buttons change the white to #8e8e8e (gray) and the #2ca2f7 (bright blue) to #148cfc (dark bright blue) on hover. 

“New” labels are #40b267 (green) and toggles are either black outlined in gray and white (off) or #2fa6f8 (bright blue) outlined in black (on). ‘Premium’ labels are #2fa6f8 (bright blue), and icons are the same blue with accents of white and darker blues, namely #073579 and #1370f5. The logo again uses the #2fa6f8 (bright blue) for the shield, with a circle of various colors on top.

• When did the VPN introduce the current design of the software? 

The website design was updated between September 14 and September 17, 2020. They also had a Black Friday / Cyber Monday sale design which was up from about 9 am on November 26, 2020, to December 1, 2020.

• Does the current design use native interface components (Buttons, Navbars, Tabbars, Navigation, etc.) for each operating system, iOS14, Android 11, macOS Big Sur, Windows 10? Or is it some hybrid cross-platform software with its unique interface components?

Hotspot Shield has its own design that it uses across all systems. The exceptions are system pop-ups, e.g., permissions and notifications, and Preferences in macOS, which uses the native macOS design with Hotspot Shield VPN’s color scheme.

• Are there any other design observations you’ve made?

The design is very minimalistic, with lots of white space even in the icons. It uses very few colors, mostly just gray tones and blues. They do use quite a bit of jargon without explaining, and they have their own terms for things, which further complicates an already complicated process for the non-tech-savvy user. 

They don’t have a manual ‘check for updates’ button, so if you installed through the Microsoft or App store, you have to go into store settings to manually update and/or turn on auto-updates.

User Actions Based On Operating Systems

User Actions Based on Browsers & Router

• Does the app offer support for vision-impaired people, meaning does it support the accessibility features provided by the operating system, like increasing font sizes, inverting colors, etc.? Is the software set up correctly to support screen-reading for blind people?

Font size does not change with system settings and there is not an option in the app settings. Their notification texts do get larger with the system though, which is a plus. Windows Narrator does not work except with actual text links in the app, so it’s not helpful here. 

The website isn’t accessible at all for people who are colorblind or have poor vision. Much of their text is on photo backgrounds and blends into the back, as with this:

User Experience Based On Operating Systems

User Experience Based On Browsers & Router

The queries for this section have been sent via email to the vendor. They have replied promptly via chat and email on the simpler queries, and referred other matters to their developers.

• How does Hotspot Shield protect authentication credentials? What’s the default authentication protocol?

The website states their proprietary development is based on OpenVPN (TLS) and follows NIST recommendations. Support states they also support OpenVPN on routers.
(05:40:02 AM) David M.: OpenVPN is still supported, this is the protocol we use to connect routers with our services.

• What kind of authentication is supported? What’s the default authentication method?

Password or QR Code

• What network protocols are supported (UDP vs TCP)?

TCP, UDP (and ICMP at minimum).

Source: Direct Test

C:\SysOp\Apps\IPerf>iperf3 -c speedtest-iperf-akl.vetta.online -u -p 5205
Connecting to host speedtest-iperf-akl.vetta.online, port 5205
[  4] local 172.31.244.228 port 63275 connected to 163.47.131.253 port 5205
[ ID] Interval           Transfer     Bandwidth       Total Datagrams
[  4]   0.00-1.00   sec   144 KBytes  1.18 Mbits/sec  18
[  4]   1.00-2.00   sec   136 KBytes  1.12 Mbits/sec  17
[  4]   2.00-3.00   sec   120 KBytes   984 Kbits/sec  15
[  4]   3.00-4.00   sec   120 KBytes   982 Kbits/sec  15
[  4]   4.00-5.00   sec   136 KBytes  1.12 Mbits/sec  17
[  4]   5.00-6.00   sec   112 KBytes   918 Kbits/sec  14
[  4]   6.00-7.00   sec   128 KBytes  1.05 Mbits/sec  16
[  4]   7.00-8.00   sec   136 KBytes  1.11 Mbits/sec  17
[  4]   8.00-9.00   sec   136 KBytes  1.11 Mbits/sec  17
[  4]   9.00-10.00  sec   120 KBytes   984 Kbits/sec  15
– – – – – – – – – – – – – – – – – – – – – – – – –
[ ID] Interval           Transfer     Bandwidth       Jitter    Lost/Total Datagrams
[  4]   0.00-10.00  sec  1.26 MBytes  1.06 Mbits/sec  4.618 ms  0/160 (0%)
[  4] Sent 160 datagrams

iperf Done.

C:\SysOp\Apps\IPerf>

• What VPN protocols are supported by Hotspot Shield? 

“Catapult Hybrid” 

• What is the default protocol for the VPN?

Purportedly based on OpenVPN with AES 128 default

• Is the VPN protocol open source or closed source?

Closed Source and ‘Open Source’ options (The IPSec VPN code is not available for public review).

Excerpt from the website regarding Hotspot Shield’s proprietary Hydra VPN protocol: 

“Updated: June 28, 2021 20:38 

In short, yes. Your VPN connection is very secure and private, whether you use Hotspot Shield Basic or Premium. 

Our proprietary VPN protocol, Hydra, which is based on OpenVPN, uses standard, proven Transport Layer Security (TLS) based on NIST recommendations to establish a secure client-server connections and encrypt the payload. 

The handshake is a standard TLS 1.2 and no protocol downgrade is allowed. It uses RSA certificates with 2048 bit key for server authentication and Elliptic Curve Diffie-Hellman algorithm (ECDHE) for Ephemeral Key Exchange. 

Ephemeral in this case means that encryption keys are generated for every user session and erased from memory when the session is over. 

Our steadfast security, inspired by the software defined perimeter (SDP) model pioneered by the US Department of Defense, supports both 128-bit AES and 256-bit AES encryption, and we use 128-bit AES encryption as a standard. 

Fun fact: it would take nearly 14 billion years to decrypt 128-bit AES encryption at current computer power. To put that into perspective, that’s about 3X the age of our Solar System (~4.5 billion years old), or as long as the Universe has existed (~14 billion years old).”

• Does Hotspot Shield allow the Hydra code to be audited by third-party experts?

Excerpt from Hotspot Shield’s website:

“Catapult Hydra security code is evaluated by 3rd party security experts from more than 60% of the world’s largest security companies that use our SDK to provide VPN services to their users.”

•  If it is closed source, who is the vendor and are they considered a tier-one vendor?

 Not in my opinion.

• Has an RFC been published for the protocol? What’s the RFC number?

N/A.

• Is the VPN protocol using the latest protocol version?

N/A.

• What is the release date of the protocol in use?

N/A.

•  Is there an IEEE implementation standard for the protocol?

N/A.

•  Is the protocol listed on the iana.org website?

Not at the time of review.

• Does this protocol have any known vulnerabilities or Active CVE?

N/A. Nothing is currently known, but the product itself has a history. See “Has the VPN provider been exploited in the past” below.

•  Does the VPN support multi-hop?

Support of Multi-hop VPN capabilities is not listed. An inquiry has been sent to support (20/07/2021). The VPN CAN run through Tor.

• Can you see any traffic not transmitted via the VPN tunnel (if not Split-Tunneling)?

No.

• Can you see any DNS traffic in the packet capture?

Not when the VPN is enabled.

• Where is your DNS traffic going to?

Google (8.8.8.8)

Note: Additional tests appeared reasonable (dnsleak.com, ipleak.net, DNS leak test)

• Has the VPN provider been exploited in the past?  

No published exploits, but proof of concept exploitation is available for the 2020 version of the app (Source: CVE-2020-17365 – Hotspot Shield VPN New Privilege Escalation Vulnerability). Given the popularity of the service, real-life zero-day exploitation is probably a fair expectation

Note: Quick initial response, and reasonably timely fix.

Further investigation into vulnerabilities reveals a total of 2x major, and 3x minor as detailed below.

APPENDIX A: CVE Search & History Results Summary

Hotspot Shield Security Vulnerabilities

2020 – Payload Evaluation: Remote privilege escalation, serious breach of intended privacy

Details: Hotspot Shield VPN New Privilege Escalation Vulnerability

2018 – Payload Evaluation: sensitive information divulgence, serious breach of intended privacy

Details:
Hotspot Shield runs a webserver with a static IP address 127.0.0.1 and port 895. The web server uses JSONP and hosts sensitive information including configuration. User controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine, including whether the user is connected to a VPN, to which VPN he/she is connected, and what is their real IP address.

CVE List

NVD Vulnerability Search Results – Hotspot Shield 

NVD – CVE-2020-17365

NVD – CVE-2018-6460

Additional CVEs noted here: 3 Popular VPN Services Are Leaking Your IP Address 

CVE-2018-7879, CVE-2018-7878, CVE-2018-7880

A few other web hits come up, these may be spurious as NOT noted in NIST, and Mitre.Org lists reservations only (CVE-2018-7879)

CVE History (Web Search Sample)

NVD – CVE-2018-6460

Hotspot Shield VPN New Privilege Escalation Vulnerability

Hotspot Shield Has Patched A Serious Vulnerability In Its Windows Client | Techradar

Vulnerability Summary for the Week of January 29, 2018 | CISA

Hotspot Shield Vulnerability Statistics

A Flaw In Hotspot Shield Can Expose VPN Users’ Locations | ZDNet

3 Popular VPN Services Are Leaking Your IP Address

•   Does Hotspot Shield have a No Logging policy?

Hotspot Shield advertises a No Logging Policy; this is generally considered to be ineffective as the Privacy Policy is invasive.

○ Have they been audited by a 3rd party confirming this? If they do log, what’s the retention policy?

N/A – although some other reviews mention 3 Years retention (A retention period regarding collected and sold data was not found in Aura’s Privacy Policy).

•  Does Hotspot Shield have a canary on the website? 

Nothing specific was found. The company would be vulnerable as US-based.

•  Is Hotspot Shield based in one of the following locations UK, USA, or EU? If they are, are they compliant (e.g., GDPR, CCPA)?

Based in the US. The website links to parent operator Aura who state CCPA compliance.

Sources:  

Aura Digital Security: Consumers may not sell their personal information

CDT’s Complaint To The FTC On Hotspot Shield VPN

•  Can you purchase a VPN subscription anonymously?

No.

• What personal information must you provide to purchase a subscription or begin a free trial? 

Email & Paypal or credit card is required for the paid version (no crypto etc). Not needed for a free trial.

Source: Order placed at the time of testing

Note: The website requests the same for the free trial, however, you can bypass that requirement by simply downloading and installing. The parent company states “Please note that we do not require users to create accounts in order to use the free versions of our VPN products.”

Source: Aura Digital Security: Consumers may not sell their personal information

• Can multifactor authentication be implemented?

 No. The only reference to multi-factor is about suggestions on keeping safe: What is the Identity Scan feature of Hotspot Shield? Factor reveals more results, but nothing related to service/app.

• What is the level of encryption used?

AES 128 or 256 is offered. 128 is the default.

• What encryption cipher is used? 

AES.

•  Do the VPN apps have kill switches, in case the VPN connection drops?

Yes (on Windows and Android only).

•  In what country is Hotspot Shield located?

The US.

• What is the likelihood of Hotspot Shield sharing data with governments?

Very Likely.

• What data does Hotspot Shield collect on VPN users?

Reportedly data collection and ‘sale’ applies to free users only:

Identifiers (such as advertising identifiers and cookies)

Internet or other network or device activity (such as what Aura app you’re using);

Approximate geolocation information (city-level location data)

Source:Aura Digital Security: Consumers may not sell their personal information

• Does Hotspot Shield share any customer data with third parties? 

Yes. Collect and sell as per above.

Minor Update 20/07/2021:

When attempting to switch VPN protocols on 20/07/2021 approx 22:00 Hrs AEST, the ‘Protocols New’ section was NO LONGER available in the UI. The version remains the same. In fact, the only difference so far as I recall is the the VM was shut down and turned on a day or so later. After rebooting, it showed up again. A query has been sent to support about this, and they suggested ‘updating’, however the provided executable was older than the running build. In other words, the feature is still in beta.

• Where is Hotspot Shield headquartered?

Hotspot Shield is the trading name of the Aura Group. The principal companies in the Group are Pango Inc., headquartered in Redwood, CA, USA, and Pango GmbH, headquartered in Stans, Switzerland. 

Other companies in the group include Intersections Inc., Get Aura Inc., Betternet LLC and Touch VPN Inc. Depending on which Hotspot services are used, the relevant entity for data protection may be any one of those companies or their corporate affiliates.

• How does the company’s location influence the privacy of its customers?

Hotspot has chosen locations primarily in the USA and Switzerland. In federal terms, the USA is not a good data privacy jurisdiction, as confirmed by the CJEU in the Schrems cases. The CLOUD Act problem continues to trouble in Europe. 

However, California was the pioneer of states legislating for data protection and has at the time of writing probably the most advanced data protection for individuals in the USA. Switzerland has the benefit of an adequacy decision from the European Commission. 

The Swiss data protection law currently in force is somewhat old-fashioned as it was modeled on the European data protection legislation preceding the GDPR. The Swiss government has brought forward draft legislation that, if passed, will align the law more closely with the GDPR and introduce an element of data localization. 

In general terms, it seems that Hotspot has opted for jurisdictions with open data protection.

•  Is the jurisdiction of the country where Hotspot Shield is located known for working/not working with law enforcement?

California is a developed jurisdiction with a good record for working with law enforcement. Switzerland is also a developed jurisdiction and a signatory to most of the main international treaties governing law enforcement. 

Swiss banking secrecy has been in decline since 2018 when the country began sharing financial account data cross-border in support of a crackdown on tax evasion. Nonetheless, the level of secrecy relating to Swiss bank accounts is still greater than in many other jurisdictions.

• Are there international laws in place to provide data outside of the country?

The USA is a signatory to a large number of international treaties and instruments, both global and regional. Full details are available on the State Department’s website and include treaties such as:

1. UN Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances (1988);
2. UN Convention for the Suppression of the Financing of Terrorism (1999);
3. UN Convention Against Transnational Organized Crime (2000); and
4. UN Convention Against Corruption (2003);
5. Budapest Convention on Cybercrime (2004).

Switzerland is a member of the Council of Europe and a signatory to the Council treaties and conventions governing mutual legal assistance. It is also a signatory to other international treaties such as:

1. UN Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances (1988);
2. UN Convention for the Suppression of the Financing of Terrorism (1999);
3. UN Convention Against Transnational Organized Crime (2000); and
4. UN Convention Against Corruption, 2003.

• How current is Hotspot Shield’s privacy policy?

June 8, 2021.

• How frequently is their privacy policy being updated?

“From time to time”, to comply with changes in laws, industry standards, and business practices.

• When was Hotspot Shield’s privacy policy last updated?

June 8, 2021.

•  Does Hotspot Shield inform its customers (e.g., via email) when the privacy policy gets updated?

The company will also provide advance notice of any changes materially affecting users’ privacy rights by email or through the services it provides.

• What identifiable personal information is being collected (according to the privacy policy)?

The company has different data collection points for different products. The company also has a policy of not collecting information showing that their VPN services were accessed over a VPN. Common to all are the following:

1. Email address, name, username, password; for identity protection products also Social Security number
2. Payment information including billing name, billing address, payment instrument.
3. Identity verification information e.g., email address, telephone number (some products only)
4. Cookie-related data
5. Communication optimization data (tracking data, possibly the user’s operating system)
6. Communications and submissions when communicating with the company
7. Usage information
8. Device information
9. Diagnostics information
10. Imprecise location information based on the user’s isp address
11. Third-party referral information
12. Third-party account details (e.g. Google and Microsoft accounts, bank accounts, social media accounts) where the organization holding the account may send some personal details to the company
13. Third-party threat information may contain personal data on an incidental basis
14. Third-party business customers may submit personal data from others (note: Hotspot Shield sees itself as a data processor with regard to its business customers)
15.  Third-party monitoring information.

Depending on the service selected, Aura Identity Protection users may be asked to provide a wide range of personal data, both for themselves and their families, including minors if enrolled in a Family Plan. 

Information such as date of birth, passport numbers, geolocation, social media access, photographs, information about social media contacts, financial transactions, credit reports, and details of the user’s children. In the USA, this information may be shared with law enforcement agencies.

The following are additionally collected from Aura Antivirus users (note that there is some information sharing with third-party providers in relation to security and diagnostics information):

1. IP address and geolocation
2. Administrative information such as license key numbers
3. Device information such as IP address, browser, operating system, device ID
4. Security information such as executable files is identified as malware
5. Diagnostics information 

The following are additionally collected from Roboshield users (in the USA, this information may be shared with law enforcement agencies):

1. Caller IDs
2. Network routing information
3. Dates and times of calls, including calls blocked by the user
4. Device information such as IP address, browser, operating system
5. Enhanced caller IDs, call labels
6. User address book information (if access is granted) 

For VPN Product Users, the company has a strict policy that VPN products do not store any information about what any specific user browsed or accessed through a VPN connection. IP addresses are not logged. When a VPN connection is initiated, the user’s IP address is collected, immediately encrypted, and deleted at the end of the session.

For Betternet Safe Shopping, online shopping and usage data are collected as well as URLs of websites visited when not interacting with Betternet. These data are not associated with the user’s personal data. Cookies are set when using Betternet.

For Figleaf users, additionally, certain usage data is collected such as OS, browser version, or frequency of use. There are two Figleaf settings enabling the user to choose whether to share device ID.

•  Is any identifiable personal information shared with any of Hotspot Shield’s partners, data processors, or similar?

Information shared relates to payment processing, email automation, website and app diagnostics, analytics, delivering marketing and advertising content, security, and research (“sanitized”), investment or acquisition, compliance with the law, and prevention of fraud. 

Identified third-party providers include Google and Microsoft. Where a user has chosen free Hotspot Shield services, the company allows advertising. While the company does not share any personal information with the advertisers, they may be able to access certain information using SDKs.

• Is any identifiable personal information mandatory to purchase a subscription and use the VPN service?

It depends on the product. In general, an email address is required for account creation purposes and payment data for payment processing purposes. Some products may require identity verification information and/or Social Security Numbers.

• Is Hotspot Shield’s privacy policy GDPR compliant?

Not quite, but very nearly.

•  If personal data is being collected, what justification in accordance with GDPR is being given for the collection of identifiable personal information?

The company’s legitimate interest, to provide the services contracted for, user consent, and to comply with the law.

•  Is Hotspot Shield’s privacy policy CCPA compliant?

Near enough.

• Does the privacy policy address “logging” of identifiable personal information? (Logging Policy)

Yes.

•  Are access logs being kept?

Yes.

• Are there any VPN use cases/types of traffic (Torrenting, Tor Network, etc.) not allowed?

Hotspot prohibits the following uses:

“(a) use the Software or the Service for any fraudulent, harassing or abusive purpose, or so as to damage or cause risk to our business, reputation, employees, subscribers, facilities, or to any person;

(b) rent, lease, loan, sell, resell, sublicense, distribute or otherwise transfer the Service, the Software or any Materials (as defined in Section 10, below);

(c) delete the copyright or other proprietary rights on the Software or the Service;

(d) use the Software or the Service for any illegal purpose, or in violation of any local, state, national, or international law;

(e) use the Service or the Software for any commercial use, it being understood that the Software and the Service is for personal, non-commercial use only;

(f) use the Software or the Service if you are not Eligible;

(g) remove, circumvent, disable, damage or otherwise interfere with security-related features of the Software or the Service, features that prevent or restrict use or copying of the Software, or features that enforce limitations on the use of the Service;

(h) reverse engineer, decompile, disassemble or otherwise attempt to discover the source code of the Service or the Software or any part thereof, except to the extent that such restriction is expressly prohibited by applicable law;

(i) modify, adapt, translate or create derivative works based upon the Software or the Service or any part thereof; or

(j) Intentionally interfere with or damage operation of the Service, by any means, including uploading or otherwise disseminating viruses, adware, spyware, worms, or other malicious code.”

• Have there been any known instances where Hotspot Shield has provided a government with customer information or data?

None identified. Although the company provides contact details for government agencies, it is clear that it does not have any data worth sharing with third parties.

• Have there been any leaks of customer information or data?

A few years ago, Hotspot Shield suffered from a bug leaking user data. Since then, an incident has been reported of leakage of a real IP address via the Android app. 

 In August 2017, privacy advocate Center for Democracy and Technology (CDT) issued formal charges to the Federal Trade Commission (FTC) against Hotspot Shield for allegedly intercepting and redirecting user data to partner websites including advertising firms.

•  What’s the operating company name (trading name) behind Hotspot Shield?

Initially, AnchorFree, Inc. As of 2018, it trades under Pango Inc. Pango was acquired by Aura Company in 2020.

• When was Hotspot Shield founded?

AnchorFree was founded in 2005. It released Hotspot Shield in 2008.

•  Where was it founded?

Menlo Park, California, United States.

• Where is Hotspot Shield’s headquarter located today?

  Menlo Park, California, United States.

• Is it known if Hotspot Shield’s employees are working remotely? What percentage of the workforce is distributed?

The Pango employees are distributed across the US, Ukraine, India, and Switzerland. However, the office locations are listed as in the US and Switzerland. The assumption is that the remainder of the employees may work remotely.

•  Who were the founders of Hotspot Shield?

David Gorodyansky, Eugene Malobrodsky, and Peter Hoag co-founded AnchorFree. 

• What are/were their functions in the company?

David Gorodyansky was CEO until 2019. Eugene Malobrodsky was CTO from 2005 to 2014 and then Chief Strategy Officer until he left the company in 2020. Peter Hoag was a Board member and COO from 2006 to 2018.

•    Are the founders still running the company?

No.

•   What were the backgrounds of the founders? Did they have any relevant expertise to found this company?

David Gorodyansky: Bachelor’s Degree in Business from the San Jose State School of Business. He co-founded, with Eugene Malobrodsky, one company prior to AnchorFree called Intelligent Buying Inc, which is no longer in operation. Prior to that, he worked for one year as a Strategy Consultant. Overall 4 years of experience prior to founding AnchorFree.

Eugene Malobrodsky: Bachelor’s Degree in Marketing from the University of San Francisco. He worked as an engineer, IT manager, and Director of Sales between 1997-2002. He then co-founded Intelligent Buying Inc with David. He had 8 overall years of experience prior to founding AnchorFree.

Peter Hoag: Ph.D. in Geography from the University of Michigan. He was in the Marine Corps for 6 years. He then worked as a Faculty member at the University of Toronto. He co-founded a technology company called Cardinal Technologies between 1992 and 1995. He was also a Vice President in IT at Visa and a Product Manager at Remedy Inc. His experience spanned decades prior to joining AchorFree in 2006.

• Do they own more than one VPN? If so, what are the names of the other VPNs?

Yes – Pango Inc owns Betternet (HexaTech), VPN 360, and Fireshield.

Trademarks

• Does Hotspot Shield own any trademarks? What are the trademarks and registration numbers? In which categories are the trademarks registered?

Hotspot Shield in itself does not own any trademarks. All trademarks, including the one for Hotspot Shield, are owned by the operating company Pango Inc.

• How is/was the company funded? 

AnchorFree was founded with and had 4 VC-backed rounds.

○ If externally funded, how much money was raised? How many rounds of funding? When was the last funding?

$387.6M has been raised in 4 rounds so far. The last one was in 2018 for $295M.

• Who owns the company now? 

Pango was acquired by Aura Company in 2020.

•  If it’s now owned by another company (Holding Company, HoldCo), what is the mission of HoldCo?

Aura is a mission-driven digital security company dedicated to creating a safer internet.

•  Does Aura own other companies? Any in the privacy/security tech space? 

1. Figleaf – digital security and privacy across all devices by enabling users to anonymize their data
2. Privacy Mate – monitors and prevents the collection, sale, and widespread dissemination of private personal information

•  How many people work at OpCo?

Pango Inc.:

Crunch base numbers – 101-250

LinkedIn numbers – 201-500

• What is the business model? 

Hotspot Shield has a SaaS model. Likewise, its operating company, Pango, sells Hotspot Shield along with 3 other services (password manager, identity theft shield, and robocall blocker) on a subscription basis as well.

•  Who are Hotspot Shield’s target customers? 

Hotspot Shield offers VPN subscription services to private individuals and businesses. For businesses, their offer focuses on SMEs.

•     Is any financial information about the company’s performance public?

No. There are estimates of $10M annual revenue but that doesn’t seem reliable.

•       Is the company profitable? If so, since when? How much?

N/A

•  Was there ever an exit event for the company? Sale or IPO?

○        At which stage of funding?

At the 4th stage of funding, Pango Inc was sold to Aura Company.

○        What was its valuation at exit?

The Aura purchase was for an undisclosed amount.

• How has it developed since then (employees, revenue, user growth)?

N/A

•    Is anything else known?

N/A

• What does the company structure look like? 

Aura company owns Pango. Pango is the operating company of Hotspot Shield.

•  Are there multiple companies (specific marketing or sales entities or similar)?

No.

•  Where are these companies’ headquarters located?

Hotspot Shield – Menlo Park, California, United States

Pango – Redwood City, California, United States

Aura Company – Burlington, Massachusetts, United States

•   Who are the beneficial owners of these companies? How much do they own? 

There is public information about the investors in Aura Company but not about the ultimate owners.

Aura is funded by 4 investors – Warburg Pincus, General Catalyst, Green Bay Ventures, and WndrCo. WndrCo was also an investor in Pango before it was sold to Aura Company.

•  What Hotspot Shield subscription plans are available (features, limits, subscription length) and how expensive are they? What are the discounts on them? What are the savings in opting for a long-term subscription?

Hotspot Shield offers three plans: Basic, Premium, and Premium Family.

The Basic plan is free but only offers one device connection for one unique user, one virtual location, a 500MB daily limit, and a 2Mbps connection speed. Streaming and gaming are restricted.

Premium is $12.99 a month or $7.99 a month with an annual subscription (a 38% discount). It offers five device connections for one unique user, 115+ locations, 1Gbps speed, and unlimited daily data. There are no restrictions on streaming and gaming. It also includes virus and malware protection, a password manager, and secure document storage.

Premium Family is $19.99 a month or $11.99 a month with an annual subscription (a 40% discount). It offers five device connections each for five unique users. 115+ locations, 1Gbps speed, and unlimited daily data. There are no restrictions on streaming and gaming. There is no virus and malware protection, a password manager, or secure document storage.

• Are there additional plans, like premium or family plans available? What are the details?

 See above

•   Where can you buy a Hotspot Shield subscription?

Website, iOS, and Android.

•     Does Hotspot Shield charge the same in all countries it’s available in or does the price depend on country or currency?

Same across five different countries.

• What payment methods are available for purchasing a Hotspot Shield VPN subscription?

Visa, Mastercard, AMEX, JCB, Discover, Diners, and Paypal.

•  Is there an option to pay for Hotspot Shield anonymously?

No

• Under what circumstances will they release a user’s billing info/ID to third parties?

If you tell them to or you give permission to a service, to your company if it is a company account, affiliate and third-party service providers (e.g., payment providers), and to comply with a legal process and the law.

•  Does Hotspot Shield offer a free trial period? How long does it last?

No, but it does offer a free limited feature service.

• Does Hotspot Shield offer a money-back guarantee? For how long?

Yes, a 45-day money-back guarantee.

•   How does the cancellation policy work?

Through Contact Support via an online submission form.

•  Does the VPN offer any bundles that include the VPN? What is included in the bundles? What are the available plans?

The Premium offer includes antivirus and malware protection, a password manager, and secure document storage.

Through Hotspot’s parent Aura’s site, you can purchase digital security, identify theft, and fraud protection that includes Wi-Fi security VPN.

• Are team/enterprise plans available? Do they offer additional features over the standard plans?

Pango, which is the company behind Hotspot Shield, offers a business VPN service called Twingate.

 It claims to be a secure connection service for companies that use the cloud which is better than a normal VPN. No public gateways.

•  What costs are involved? What payment plans are available?

$6 per user per month for teams. $5 per month per user a month with an annual subscription.

 $12 per user per month for a business. $10 per month per user a month with an annual subscription. Custom rates for enterprises.

•    What are the limits (minimum number of users/seats, etc.)?

Teams: Up to 50 users, 5 devices per user, and 5 remote networks.

Business:  Up to 150 users, 5 devices per user, and 10 remote networks.

Enterprise: Unlimited users, unlimited devices per user, and unlimited remote networks.

•  What permission/admin settings are available for remote users?

Control user access at the network and resource level for Enterprise users.