HMA (formerly HideMyAss) VPN has over 890 servers in a whopping 190 countries around the globe. That makes it a blinding option for accessing content from overseas. HMA has software for all platforms, and, that software is extremely easy to use. This makes HMA VPN a great option for beginners. The software can also be used on up to 5 simultaneous devices; which means that this VPN is suitable for families or people with a lot of devices. And, because this VPN implements strong OpenVPN encryption; it will protect your data from ISP and government snooping.
- Simultaneous connections 5
- Countries 190
- Jurisdiction UK
- ProPrivacy.com SpeedTest (average) 63.26 Mbps
Alternative VPN Choices for You
HMA VPN sells three premium subscription plans. The monthly plan is $11.99, which is a little on the pricey side. However, prices reduce considerably when you commit for a year ($83.88 - the equivalent of $6.99 per month) - or two years ($119.76 - the equivalent of $4.99 per month). (At the time of writing HMA has a special Valentines offer on that reduces the cost of the VPN to $2.99 per month).
All of the subscription plans for HMA VPN come with the same features; only the price changes. Customers are given the opportunity to test the service thanks to a 30-day money back guarantee.
However, it is worth noting that users must not exceed 10Gb of download usage before the ask for a refund as this will invalidate it. In addition, you cannot get a refund if you pay via iTunes or Google Play: so buy the VPN directly from HMA if you want to have the option of changing your mind. Many people report not being able to get their money back, so please remember this to ensure you are eligible.
Auto-renewal of subscriptions is enabled by default, so if you don’t want to renew you will need to cancel the sub in the control panel of the member's area after you log in to its website.
Payments can be made via credit or debit card. PayPal, iDEAL, bank/wire transfer, UnionPay and SOFORT banking are also accepted. HMA does not accept Bitcoin payments.
When it comes to streaming this VPN is a service that meets the gold standard. It is able to unblock a huge range of TV streams from around the globe, and, it manages to unblock highly sought after services such as BBC iPlayer and Netflix US. Many people choose to get this service because it is regarded as a great option for streaming.
HMA VPN Features
Asus routers, Tomato, DD-WRT,Vilfo
Bare metal or virtual servers
A HMA subscription comes with the following important features:
930 VPN servers in 280+ locations in 190+ countries
Five simultaneous connections
Supports OpenVPN, Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP) VPN protocols
Killswitch (Mac and Windows only)
24/7 live chat support
30-day money-back guarantee (as long as you don’t download more than 10 Gb of data during the 30-day period and buy the VPN directly from the HMA website)
Perhaps the best thing about this VPN s the high number of servers all over the world. HMA has servers in unusual places like the Falkland Islands, Papua New Guinea, Malawi, Serbia, and many more. If unblocking content in unusual places is important to you; this service might be of interest.
Speed and Performance
At ProPrivacy.com we test VPNs using a scientific server-based system. Our proprietary system tests VPNs three times a day connected via the OpenVPN protocol (for fairness across the providers). We test a UK server for local burst (top) speeds. And Honk Kong, US, UK, and Australian servers for download averages.
During our tests, we discovered average download speeds of 36.6 Mbps and burst speed results of 293.9 Mbps. These are outstanding connection speed results that underscore this VPN’s effectiveness as a streaming or gaming VPN. This VPN is capable of unblocking HD streams without issues.
IP leaks, WebRTC leaks, and DNS leaks
IPv4 leak detected?
WebRTC leak detected?
ProPrivacy.com SpeedTest (max/burst)
ProPrivacy.com SpeedTest (average)
We tested the VPN thoroughly for IP leaks and DNS leaks using ipleak.net. We discovered no IPv4 WebRTC, IP, or DNS leaks. This is great because we would not actually see any active DNS leak protection within the clients (I can only assume it is enabled at all times by default).
However, we did discover IPv6 WebRTC leaks in both Windows and Mac. This means you will need to either disable IPv6 on your desktop computer, use a WebRTC block extension, or disable WebRTC connections inside your browser.
All of thee methods will fix the leak; meaning that it is not severe (if you handle it and fix the leak).
Privacy and Security
IPv4 leak protection
IPv6 leak protection
WebRTC leak protection
HMA was acquired last year by the Czech company Avast Software. However, it is still managed and run in the UK.
Being based in the UK is enough to put some people off this VPN. The UK is a location where GCHQ has a lot of power. The UK’s intelligence agency is famous for performing a lot of surveillance. In addition, the government is able to issue warrants that force firms to hand over any data they have on their servers.
This is concerning - and is made all the more problematic - due to the fact that HMS keeps connection logs with timestamps stored next to user’s IP addresses. These logs are enough to mount a time correlation attack; which means that with enough effort it is possible to tie people to their activities while using the VPN.
Although the above is a reality, it is worth noting that it does not affect the vast majority of HMA VPN subscribers in practice. A time correlation attack is a highly targeted attack, and the government is highly unlikely to even actually perform one on anything but the most hardened of criminals.
This means, day to day users who want privacy from their ISP (for Torrenting or streaming, or anything else) - or to gain security from hackers while on public WiFi- - have no reason to be concerned about using HMA.
HMA does not keep any records of what people do online, these usage logs are always deleted. In addition, HMA claims to only store connection timestamps next to IP addresses for up to three months. (This is an unusual claim because it is in direct contradiction to the UK’s Investigatory Powers Bill, which says all firms must retain records for 12 months).
Finally, it is worth noting that there have been incidents when HMA has handed over logs to the police. In 2011, HMA handed over internet records and personal details about Cody Kretsinger to the cops. Kretsinger was a LulzSec member accused of hacking the Sony Pictures website; he was imprisoned on hacking charges (in part proven with the help of HMA). In 2017 a judge from Galveston County, Texas was arrested for harassing his ex-girlfriend. He was an HMA user whose IP address was uncovered using connection timestamps.
The HMA website claims that it implements its encryption as follows:
“OpenVPN is using OpenSSL with algorithms 3DES, AES 256, RC5, 256-bit encryption for the control channel (e.g. password, authentication, etc.).”
After much digging, however, I was able to figure out that HMA implements its encryption as follows:
Data channel: a Blowfish 128-bit cipher with HMC SHA-1 hash authentication.
Control channel: an AES-256 cipher with RSA-2048 handshake encryption and SHA-1 hash authentication. Perfect forward secrecy is provided courtesy of a Diffie-Hellman key exchange.
This encryption implementation is actually a bit weak. On the one hand - the control channel is strong and perfect forward secrecy is implemented - which is great. However, the data channel (which can be hacked separately to the control channel) is weak because of the 128 bit Blowfish cipher.
Blowfish 128 doesn’t come close to the protection provided by a 256 bit AES cipher (which is what the vast majority of premium VPNs offer nowadays). We would have to acknowledge that this VPN may be vulnerable to hacking from state-sponsored intelligence agencies such as the NSA and GCHQ.
In addition, the L2TP/IPsec connection with HMA uses a pre-shared key to authenticate connections. Generally speaking this is considered terrible for security, however, HMA has assured us that it is not a problem because your username and password provides additional authentication.
For more information on VPN encryption please read our VPN Encryption: Complete Guide.
We would suggest you stick to using this VPN for low-level privacy requirements such as WiFi security and concealing web traffic from your ISP. Anybody in need of staunch privacy levels (lawyers, journalists, political dissidents, etc.) is advised to look for a more secure service with a no logs policy and stronger encryption.
Money back guarantee length
HMA has excellent options when it comes to customer support. Live chat is available on its website 24/7 and its agents are both helpful and knowledgeable. Sometimes the agent took a few minutes to respond, but overall we found it to be pretty responsive and quick. All in all, pretty good for getting fast responses about unblocking content and installation help.
Admittedly, some of the techiest questions we asked had to be elevated to a more senior tech member of staff. This was done by the customer support agent who told me we would receive a response via email. Sadly, that response did not come.
The HMA website does an excellent job of drawing users in and convincing them to purchase the VPN; without actually giving them much valuable information. This is slightly frustrating, but it does have some useful setup guides (for setting the VPN up on a router, for example), and a blog section that helps people learn how to unblock specific online services, gain privacy while on public WiFi, and other useful information. This blog is updated fairly regularly with seasonal articles.
The Windows Client
Users get a choice of OpenVPN or L2TP/IPsec encryption. Sadly, however, despite claims (on its website) that the encryption is military grade AES 256 - the data channel is actually protected using 128-bit Blowfish (which is not as secure). Users can select between OpenVPN UDP and OpenVPN TCP on Windows.
On a more positive note, this VPN is fast and it unblocks a lot of content from around the world. We have to admit that for many people this VPN will get the job done.
It is though, worth asking if you are you happy paying this much for a VPN with limited features when you can pay a similar price for a VPN that offers more. This might largely come down to whether you need to connect to one of HMA’s more exotic server locations.
The Mac client
On the whole, the Mac OS X app is easy to use, and I found it to work without crashing. Having a large choice of server locations is useful, and, because this VPN is good for unblocking Netflix and iPlayer; it could be a worthy choice for people who like to stream.
OpenVPN encryption is available, however, it is worth noting that it is not implemented as strongly as it is with many competing VPNs on the market.
The mobile apps (iOS and Android)
If you are logging for a secure VPN for Android or iOS, you may be slightly disappointed with HMA. The VPN does not have DNS leak protection built into its clients, and, the mobile VPN apps have no additional features such as a killswitch.
On Android VPN users get OpenVPN encryption. On iOS users must settle for L2TP/IPsec. Having a large choice of servers is certainly useful, and for those who aren't particularly paranoid about security, this VPN may be suitable (it unblocks Netflix US and iPlayer).
If your primary reason for wanting a VPN for a mobile device is to protect your data on public WiFi - this VPN will do the job fine - and will stop hackers from being able to sniff your data.
If you are looking for a VPN that is highly regarded in terms of privacy, you may want to look elsewhere. Being based in the UK is not ideal, and because this VPN stores connection logs (timestamps and bandwidth used) next to user IP addresses: this VPN is not watertight. In addition, this VPN does not have DNS leak protection or a killswitch in its mobile apps. A killswitch is available in the desktop versions, but these are reactive not system level; which means that if the VPN crashes you will leak data.
Although HMA permits torrenting, it does ask users never to indulge in illegal downloading while using the service. If you are looking for a VPN primarily for torrenting we would recommend looking elsewhere.
So, why get HMA? HMA is a service that is not expensive, and, if you specifically require a server in a more exotic/rare location (that isn’t covered by other VPN providers) this VPN might be for you.
Security wise this VPN can protect you on public WiFi. Assuming you aren't someone who requires extremely high levels of privacy, the privacy provided by HMA is probably more than enough. However, it is worth noting that WebRTC leaks were detected on Windows and Mac - so you will need to patch these up manually (with an extension or by disabling WebRTC in your browser).
Speed test results were excellent, which means that this VPN is good for doing data-intensive tasks like streaming in HD or gaming. Also, don’t forget that this is one of the few VPNs that can unblock BBC iPlayer and Netflix US.