"Our findings confirm the criticality of the current situation: many of these  providers leak all, or a critical part of the user traffic in mildly adversarial environments.
"The reasons for these failings are diverse, not least the poorly defined, poorly explored nature of VPN usage, requirements and threat models."
The team probed the top client software versions of providers including Hide My Ass, PrivateInternetAccess, and IPVanish. They established a campus dual stack OpenWrt IPv6 through IPv4 tunnel wifi network with updated Ubuntu, Windows, OSX, iOS 7, and Android clients. This simulated the environment where users would trust VPNs to protect them from a hostile network, they said.