NordVPN has denied claims that hackers breached its internal Salesforce development servers, saying recently leaked data came from a temporary third-party testing environment and did not include real customer or business information.
The clarification follows posts on a cybercrime forum over the weekend by a threat actor using the handle “1011,” claiming to have stolen more than 10 databases from a NordVPN development server. The attacker alleged the data was obtained by brute-forcing a misconfigured system and included sensitive assets such as Salesforce API keys, Jira tokens, and other development-related information.
The post quickly gained attention on breach forums and social media, particularly because it referenced tools commonly used in internal development and customer support workflows. However, NordVPN says the claims are inaccurate.
What NordVPN Says Happened
According to the company, its security team reviewed the leaked files and conducted an initial forensic analysis. NordVPN said it found no evidence that its servers or internal production infrastructure, or customer data, have been compromised.
Instead, NordVPN says the leaked files originated from a trial account on a third-party automated testing platform created roughly six months ago while the company was evaluating a potential vendor for automated testing.
“As part of a standard Proof of Concept (PoC) phase, a temporary test environment was created to assess their functionality,” NordVPN explained in a blog post published on Monday.
“Because this was a preliminary test and no contract was ever signed, no real customer data, production source code, or active sensitive credentials were ever uploaded to this environment.”
The company added that the test setup was never connected to NordVPN’s core infrastructure and was fully isolated from production systems. The databases reportedly contained only dummy data used to check functionality.
“The leaked elements, such as the specific API tables and database schemas can only be artifacts of an isolated third-party test environment, containing only dummy data used for functionality checks,” NordVPN said. “No data in the dump points to NordVPN.”
The company says it is continuing to investigate the matter and has contacted the third-party vendor for additional information about how the test environment was accessed and to ensure similar exposures do not occur in the future.
NordVPN assured users that its systems remain secure and require no action from its users.
