VPN’s have become a popular resource to use in helping to keep user data private and anonymous. There is a VPN provider on every corner of the web, some good and some bad. NordVPN has generally been a VPN provider users could trust but even the good guys can have bad days.
NordVPN has admitted that the company has been hacked after rumors they had been breached surfaced. The initial leak revealed that the company had an expired internal private key exposed. This breach could allow hackers to launch their own VPN provider servers that would imitate NordVPN.
UPDATED (10/21/19): We have updated this article with a statement from NordVPN:
“We would like to stress out that our service has not been hacked. None of the information available on the one server can be used to impersonate or decrypt the traffic of any other. This was an isolated case of one data-center in Finland. It did not impact thousands of other servers in any way, it is virtually impossible to do that.”
We’ve included the recap portion of their statement below and you can find their entire statement on their official blog by click here:
To recap, in early 2018, one isolated datacenter in Finland was accessed without authorization. That was done by exploiting a vulnerability of one of our server providers that hadn’t been disclosed to us. No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated.
Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers. We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else.
With this incident, we learned important lessons about security, communication, and marketing.Statement from NordVPN, entire statement and response can be found here
A VPN provider essentially attempts to provide users privacy by masking their IP address thus protecting websites and other services from tracking their steps on the internet. Services like NordVPN route all of your web traffic through their encrypted servers and bounce that around a few servers for good measure. But just because these services are protecting you from others, doesn’t mean the service can’t see what you’re doing.
While your ISP and visited websites won’t see what you’re doing, the VPN provider can see that activity. Most providers, including NordVPN, operate on the model of zero-logging. This means the provider does not keep any record of your internet traffic even though it can technically see your traffic. Here’s what NordVPN told TechCrunch regarding the hack:
NordVPN told TechCrunch that one of its data centers was accessed in March 2018. “One of the data centers in Finland we are renting our servers from was accessed with no authorization,” said NordVPN spokesperson Laura Tyrell.
The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider, which NordVPN said it was unaware that such a system existed.
NordVPN did not name the data center provider.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” said the spokesperson. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
According to the spokesperson, the expired private key could not have been used to decrypt the VPN traffic on any other server.TechCrunch
NordVPN has said they withheld the information to be sure that no other servers or systems were affected and to make sure everything was secured. The company says no other servers were affected and it appears no user data was compromised.
Using a VPN provider is still a good idea in many cases, but this just goes to show that not everything is foolproof or 100% safe from being hacked.