NordVPN, a personal VPN service provider available for Windows, macOS, and Linux, has admitted that one of its servers was hacked in March 2018, which is more than a year ago. The company states that it remained silent about the breach, even though knowing about it for several months because it was important to check whether the rest of the servers were secure.
For some time, the expired internal key was exposed to the public meaning that anyone could have root access to the servers. At some point, an unauthorized user accessed a server located in a Finland data center, so the blame may lie with a data center provider. Most probably, an insecure remote management system was exploited; the center knew about it but did not notify NordVPN of it. The company states, though, that as soon as they knew about this mistake, they immediately terminated the contract with the provider.
No other servers were affected. Even though a TLS (Transport Layer Security) key was stolen, NordVPN clearly states that the key could not be used to decrypt any encrypted user traffic. The only way user data could have been stolen was via a targeted man-in-the-middle attack.
The breach could have enabled the hacker to gather information regarding customers’ traffic flowing through the server. However, NordVPN claims that no user credentials were intercepted as the hacked server didn’t contain any activity log information. NordVPN doesn’t keep any personal data such as usernames or passwords in general.
This incident raised attention to the security issue.
As mentioned in NordVPN’s blog:
We want our users and the public to accurately understand the scale of the attack and what was and was not at risk. The breach affected one of over 3,000 servers we had at the time for a limited time period, but that’s no excuse for an egregious mistake that never should have been made. Our goal is not to undermine the severity and significance of this breach. We should have done more to filter out unreliable server providers and ensure the security of our customers.