Well-known VPN service provider NordVPN has recently confirmed the suspicions that their company has been breached. Till the confirmation became official, there were merely rumors about this unfortunate incident that were spread in the online medium.
Allegedly an expired key is the culprit
The first rumor that was even hinting at the possibility of NordVPN being hacked spawned as a direct result of an internal, expired private key, that belonged to NordVPN, being exposed.
This situation (i.e. the expired key being exposed) reportedly enabled virtually anyone to create their own servers that imitated NordVPN, which is quite the predicament if you ask us.
Why is it so important?
Well, to put it shortly, when you rely on a VPN, you trust them with all of your browsing history and online activity, as it’s being relocated or pushed towards the VPN servers and away from prying eyes (such as, let’s say, your ISP).
Despite the fact that NordVPN claims that they have a zero-logging policy, which directly implies the fact that even hackers couldn’t access personal browsing information, this “being hacked” event is still raising concerns within NordVPN’s customer base.
Nothing critical happened
NordVPN’s spokesperson, Laura Tyrell, told an online publication that back in March 2018, one of the data centers that NordVPN is renting their servers from in Finland got hacked. Reportedly, the then-month-old server’s security systems were breached through exploiting an “insecure remote management system left by the data center provider,” which NordVPN claimed to be unaware of.
The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.
So, according to the spokesperson, it’s impossible that the expired private key could’ve been used to decrypt VPN traffic on any server.
They knew about it all along
Well, maybe not all along, but NordVPN claims to have been knowing about the breach for a few months now, but apparently further information about it wasn’t disclosed before the company was absolutely certain that each part of its infrastructure was completely secure.
Reportedly, some security researchers who took a closer look at the matter found the allegations to be troubling, claiming that NordVPN is not talking about the elephant in the room, after the VPN provider stated that “no other server on our network has been affected.” In the researcher’s own words: “Your car was just stolen and taken on a joy ride and you’re quibbling about which buttons were pushed on the radio?”
Not long after we’ve let you know about the aforementioned unfortunate happenings, NordVPN felt the need to clarify by offering us a complete list of clarifications as well as a timeline of the events. So, according to NordVPN:
- There are no signs to indicate that any of NordVPN’s customers were affected by the happenings or even that their data was accessed by the perpetrator;
- While connected to the server, the attacker could’ve only seen exactly what an ordinary ISP (Internet Service Provider) would see, but not in a personalized manner or in such a way that the data could’ve been linked to any particular customer;
- The attacker only managed to access a single server that NordVPN has rented from a Finnish data center;
- No activity logs were available on the server that was accessed by the attacker;
- No usernames or passwords could’ve been intercepted since none of NordVPN’s applications send user-created credentials for authentication;
- The NordVPN applications were not affected, the VPN tunnel was not affected, the code was not hacked and the service as a whole was not hacked. The attack was an unfortunate event that affected 1 of the 5000 servers NordVPN has;
- The attacker managed to gain unauthorized access to the server because of a mistake made by the Finnish data center, of which NordVPN was not aware;
- As soon as the issue was unearthed, NordVPN shredded the server and ceased the relationship with the data center;
- Reportedly, the attack was not directed at NordVPN, since at least “two other VPN services were affected” in the attack;
- The attack showed that the targeted server did not contain user activity logs, since NordVPN encrypts the hard disk of each new server they build;
Timeline of events
As mentioned above, NordVPN went the distance to assure and reassure everybody that everything is under control and we’ve mentioned a timeline. Well, here it is:
- The server that was affected by the attack was brought online on the 31st of January, 2018;
- Evidence related to the breach surfaced the web on March 5th, 2018;
- The data center deleted the undisclosed management account on the 20th of March, 2018, so the potential for unauthorized access to the server was restricted then;
- When NordVPN has suspected a potential breach on April 13, 2019, the server was shredded;