THEVPNMATRIX
    ← Back to Blog

    HideMyAss VPN Review (2026)

    The VPN that logged a user and handed the data to the FBI. What the 2011 case still tells you, who owns HMA now, and whether its no-logs turn has actually been proven.

    VPN ReviewPublished · 9 min read· By Privacy Research Desk

    Evidence-based review per our 28-criteria methodology · affiliate disclosure

    Quick answer

    HideMyAss is a long-running UK VPN, now part of Gen Digital, the company behind Norton and Avast. It is best known for one thing, the 2011 case in which it logged a user's connections and handed them to the FBI. It has since adopted a no-logs policy, verified once by an outside firm in 2020. In our evidence matrix it scores 3.25. As a casual tool from a big brand it works. For anyone whose reason for using a VPN is to resist a determined legal request, its UK jurisdiction and its history make it a weak choice next to a provider that sits in a stronger jurisdiction and proves its no-logs claim again and again.

    The 2011 case that defines HideMyAss

    In 2011 a member of the hacking group LulzSec used HideMyAss to hide his address while attacking Sony Pictures. HMA received a court order, complied with it, and provided the connection records it held. Those records, the times a specific account connected and the originating IP address, helped the FBI identify Cody Kretsinger, who pleaded guilty and was later sentenced to about a year in federal prison (The Register; US Department of Justice).

    HMA did not hide from it. Its public defence was that a legitimate company cooperates with a court order, and that the alternative, refusing, would invite far worse, such as having its whole network monitored. That argument is reasonable on its own terms. The lesson for a reader is the one that outlasts the case. A no-logs promise is only worth what the company actually keeps and the jurisdiction it keeps it in. HMA held connection records and sat in a country that could compel them, so the promise on the website was not the thing that decided the outcome. The data it retained was.

    This is why we weight an audited record of what a provider retains, and the jurisdiction it operates in, above any marketing claim. You can read how we grade all of it on our methodology page.

    Who owns HideMyAss

    HideMyAss was built in 2005 by Jack Cator, reportedly at sixteen, to get around a school firewall, and run through his company Privax. AVG bought it in 2015 (AVG newsroom). AVG was then absorbed by Avast in 2016, and Avast merged with NortonLifeLock in 2022 to form Gen Digital (Wikipedia). So HMA now sits in the same portfolio as Norton, Avast, AVG and Avira.

    That matters in the way ownership always does. HMA answers to a large public company whose incentives are its own, and it shares a corporate roof with several other security brands. None of that makes it unsafe by itself. It does mean the brand on the app is not an independent operator, which is worth knowing before you trust it, and it is the same lesson as our wider VPN ownership map.

    Where HideMyAss is based

    HideMyAss is based in the United Kingdom. The UK is a member of the Five Eyes intelligence-sharing alliance, and the Investigatory Powers Act 2016 gives the state broad data-retention and interception powers. That is the backdrop to the 2011 case, and it has not changed. A provider in the UK can be served with a lawful order, and our jurisdiction data grades HMA's location as poor for exactly this reason. If the country your provider sits in is part of your threat model, this is the line that should give you pause.

    The no-logs claim and the single audit

    To its credit, HMA changed course. Before 2020 it retained connection logs, reportedly for around 30 days. In 2020 it announced a no-logs policy and commissioned the firm VerSprite to assess its apps and infrastructure, which rated the user-privacy impact as low (PR Newswire; ProPrivacy).

    Read that for what it is. It is a real improvement, and a public one. It is also a single assessment, paid for by the provider, in 2020. We could find no newer no-logs audit in the years since. The strongest providers now publish independent no-logs audits on a repeating schedule, so each year's claim is checked again. One audit five years ago is better than none, but it is not the same thing, and a review that pretended otherwise would be doing the reader a disservice.

    How HideMyAss scores in our matrix

    HideMyAss scores 3.25 in our formula, last verified 21 January 2026. The product itself is competent. It has wide platform coverage, a large server network and the backing of a major security company, and it scores reasonably on those practical lines. What pulls the number down is the part that matters most to a privacy buyer, a poor jurisdiction and a thin, dated audit trail against rivals that verify themselves repeatedly. The score is a competent product weighed down by the things you cannot patch with a faster server. Our rankings are formula-driven and never moved by commission.

    Who should use HideMyAss

    Use HideMyAss if you want a mainstream VPN from a large brand for everyday tasks like geo-unblocking and basic protection on public Wi-Fi, and the company's jurisdiction and history are not part of why you want a VPN in the first place. It is a working product and a well-resourced one.

    Choose something else if your reason for using a VPN is to resist a determined legal adversary, or if you simply want the strongest evidence rather than the biggest brand. On our evidence, NordVPN leads on raw score, and Proton VPN pairs a top-tier score with a repeatedly audited Swiss no-logs record and a jurisdiction outside the Five Eyes. Both are disclosed affiliate partners, and that disclosure is the reason you can trust the ranking, which is computed from evidence rather than from who pays us. You can weigh every provider we grade, HideMyAss included, in our comparison tool.

    The point is not that HideMyAss is a scam. It is that its own most famous moment is the clearest demonstration of the rule that should guide the choice. Judge a VPN on what it retains and where it sits, not on the name.

    Frequently asked questions

    Did HideMyAss really give logs to the FBI?

    Yes. In 2011 HMA complied with a court order and provided connection logs (when a user connected and the originating IP, not traffic content) that helped the FBI identify a LulzSec member, Cody Kretsinger, who had used HMA to mask his IP during an attack on Sony Pictures. He later pleaded guilty and was sentenced to about a year in prison.

    Does HideMyAss keep logs now?

    HMA says no. It adopted a no-logs policy in 2020, reversing its earlier practice of retaining connection logs for around 30 days, and had a privacy impact assessment done by the firm VerSprite that rated user-privacy impact as low. That is one vendor-commissioned audit from 2020, not the recurring independent verification some competitors publish.

    Who owns HideMyAss?

    Gen Digital, the company behind Norton, Avast, AVG and Avira. HMA was founded by Jack Cator in 2005 under Privax, bought by AVG in 2015, folded into Avast when Avast acquired AVG in 2016, and brought under Gen Digital when NortonLifeLock and Avast merged in 2022.

    Where is HideMyAss based?

    The United Kingdom, a Five Eyes member with data-retention and interception powers under the Investigatory Powers Act 2016. Jurisdiction is part of why a determined legal request is a real consideration with HMA.

    Is HideMyAss safe to use?

    It works and it is run by a large security company, so for casual use such as geo-unblocking it is functional. For privacy-critical use the UK jurisdiction, the 2011 logging history, and a single 2020 audit make it weaker than providers with a stronger jurisdiction and repeated independent no-logs audits.

    References

    1. [1]AVG Technologies (2015) 'AVG acquires Privax', Gen Digital newsroom. Available at: https://newsroom.gendigital.com/2015-05-06-avg-acquires-privax (Accessed: 16 June 2026).
    2. [2]PR Newswire (2020) 'HMA VPN no-logging policy verified by cyber-risk consulting firm VerSprite', PR Newswire. Available at: https://www.prnewswire.com/news-releases/hma-vpn-no-logging-policy-verified-by-cyber-risk-consulting-firm-versprite-301106096.html (Accessed: 16 June 2026).
    3. [3]ProPrivacy (2021) 'HMA goes no-logs: what changed and what it means', ProPrivacy. Available at: https://proprivacy.com/privacy-news/hma-no-logs (Accessed: 16 June 2026).
    4. [4]The Register (2011) 'HideMyAss defends role in LulzSec hack arrest', The Register. Available at: https://www.theregister.com/2011/09/26/hidemyass_lulzsec_controversy/ (Accessed: 16 June 2026).
    5. [5]US Department of Justice (2012) 'Member of LulzSec hacking group sentenced to over a year in federal prison for 2011 intrusion into Sony', US Attorney's Office, Central District of California. Available at: https://www.justice.gov/usao-cdca/pr/member-lulzsec-hacking-group-sentenced-over-year-federal-prison-2011-intrusion-sony (Accessed: 16 June 2026).
    6. [6]Wikipedia (2026) 'HMA (VPN)', Wikipedia. Available at: https://en.wikipedia.org/wiki/HMA_(VPN) (Accessed: 16 June 2026).

    NordVPN

    Top-rated VPN with excellent features

    Get Deal

    Cookie Preferences

    We use essential storage for site functionality. Optional analytics only run if you opt in.

    Learn more
    Questions or concerns?

    Contact us via X, Substack, or see our Cookie Policy for full details.