NordVPN compromised in a data breach in 2018, admits the popular VPN service
Virtual private network (VPN) provider NordVPN on Monday confirmed that a server it had rented from a Finland-based data center was breached in March 2018. However, the company claims that no user data was exfiltrated and that the breach was an “isolated case.”
For those unaware, VPN is a network technology, which links the private network over the internet using encryption methods and allows easy access of remote users to secured private networks. It also allows VPN users to maintain their anonymity and protect themselves from being snooped. A VPN can be used to access region-restricted websites, shield user’s browsing activity from prying eyes on public Wi-Fi, and more.
The server in question was illegally accessed in March 2018, which was allocated to NordVPN in January 2018. The unnamed company maintaining the data center noticed it had left an insecure remote management system on the rented server which the intruder had exploited. The datacenter then deleted the exploited user accounts on March 28, 2018 without informing NordVPN.
“The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed. The datacenter deleted the user accounts that the intruder had exploited rather than notify us,” the company wrote in a blog post.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”
Also, a private expired TLS key, a tool that provides and secures machine identity, for NordVPN’s website was leaked at the same time the server was exploited. Since the TLS Key was stolen, there is a fear that it gave hackers access to some of the encryption keys that secure NordVPN user data and could be used to create spoof NordVPN servers.
To this, the company responded, “No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated.”
While the company became aware of the account’s existence only “a few months ago”, it did not disclose about it until recently due to security concerns.
“We did not disclose the exploit immediately because we had to make sure that none of our infrastructures could be prone to similar issues. This couldn’t be done quickly due to the huge number of servers and the complexity of our infrastructure,” the company said.
“Once we found out about the incident, we immediately launched a thorough audit to check out the entire infrastructure. We double-checked that no other server could possibly be exploited this way and started creating a process of moving all of our servers to RAM, which is to be completed next year.”
In order to up its security efforts, the company also has plans to launch an independent external audit of its infrastructure next year.
“Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers. We are taking all the necessary means to enhance our security,” Daniel Markuson from NordVPN said.
“We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructures to make sure we did not miss anything else.”