https://www.theregister.co.uk/2019/04/12/uscert_vpn_alert/

The US-Cert is raising alarms following the disclosure of a serious vulnerability in multiple VPN services.

A warning from the DHS cyber security team references the CMU Cert Coordination Center's bulletin on the failure of some VPN providers to encrypt the cookie files they place onto the machines of customers.