NordVPN, widely regarded as one of the best virtual private network (VPN) services, confirmed one of its datacenters was hacked. The security breach occurred over a year ago, in March 2018, though is just now being disclosed to users. Apparently NordVPN used the time between then and now to audit its infrastructure and make sure its operations were secure.
are always unfortunate, and some might find them especially concerning when they happen to a VPN provider. VPNs are supposed to afford users anonymity on the web. Of course, nothing that happens online is every truly anonymous, though VPNs operate by routing Internet traffic through an alternate, encrypted route.
This makes it more difficult to track and identify a user. It can also be a critical tool for some people, such as activists who could find themselves in grave danger if their identities are exposed. For others, it's simply an added measure of security and privacy.
NordVPN is one of the more recognizable names in the VPN space. It's also not immune to data breaches. The company said one its datacenters in Finland where it's renting servers from allowed unauthorized access.
"The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either," NordVPN told Zack Whittaker at TechCrunch. "On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN."
NordVPN is essentially downplaying the incident, saying no harm could have come from the breach. And even though the private keys that were accessed could have been used to spoof a NordVPN server, NordVPN expired the keys and noted it would not be possible to decrypt the VPN traffic on other servers.
However, not everyone agrees with NordVPN's assessment of tihe situation. A senior security researcher who wished not to be identified offered up a different take to Whittaker.
"While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems," the security researcher said. "That should be deeply concerning to anyone who uses or promotes these particular services."
The researcher went on to liken NordVPN's attitude to someone who had their car stolen and taken on a joy ride, and only being concerned about which radio buttons were pushed rather than the actual theft.
If nothing else, this serves as a reminder that security only goes so far on the Internet. Even outside of hacks, a recent report found that many of the top VPNs are owned by China and Pakistan, and that user data could potentially be shared or sold to governments with notoriously poor privacy laws.
NordVPN reached out to HotHardware to stress that its service was not hacked, and that this was an isolated incident that did not impact thousands of other servers in any way.
"In early 2018, one isolated datacenter in Finland was accessed without authorization. That was done by exploiting a vulnerability of one of our server providers that hadn’t been disclosed to us. No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated," NordVPN states in a related blog post.
NordVPN also says that even though just 1 of more than 3,000 servers was affected by this incident, it is not trying to undermine the severity of the issue.
"We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers. We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else," NordVPN says.
You can read the rest of NordVPN's statement in its blog post.