VPN Provider NordVPN Discloses ‘Isolated’ 2018 Data Breach

NordVPN, a popular virtual private network, today said it was the victim of a data breach in 2018. The company said that so far the impact from the hack was minor, but it plans on upping its security efforts.

The VPN company released details on Monday of the March 2018 data breach, reads a new report from TechCrunch. An unauthorized user accessed a lone server in a Finland data center that NordVPN was renting from an unnamed provider, which apparently didn’t disclose the hack. NordVPN says no username or passwords were intercepted.

The company, which described the event as an attack rather than a more-common hack, says the breach took place in March 2018, but the attacker did not retrieve any customer information.

“The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed,” explained a NordVPN spokesperson. “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

The server in question came online on January 31, 2018.  The unnamed company maintaining the data center allegedly discovered that its vulnerable remote management account remained on the rented server and deleted it on March 28, 2018, without informing NordVPN. The popular VPN provider supposedly didn’t even know this account existed until “a few months ago.”



NordVPN blog editor Daniel Markuson said the expired TLS key taken when the server was exploited couldn’t have been used to decrypt the VPN traffic of any other server. “On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM (man-in-the-middle) attack to intercept a single connection that tried to access nordvpn.com.”

Furthermore, NordVPN said that no user credentials were taken and that the server did not contain any user activity logs.

NordVPN said it is now holding their datacenter partners to “even higher standards” and is working on a bug bounty program.