If you haven’t used NordVPN, you may have seen the dozens of commercials they have for the product. NordVPN, providers of a widely used virtual private network (VPN) service, confirmed a breach of one of its data centers in March 2018. The company said an attacker gained access to a server at a data center in Finland by exploiting an insecure remote management system left by the data center provider, a system NordVPN said they never knew existed.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” the company said in an official statement.
NordVPN didn’t name the data center provider but said that it terminated its contract with the server provider and shredded all of the servers it had been renting from them. The company said it found out about the NordVPN breach a few months ago, yet waited to disclose the incident to ensure that the rest of its infrastructure was secure.
Over the weekend, security researchers discovered that NordVPN had an expired private key exposed, which would allow anyone to set up a server imitating NordVPN. According to NordVPN, the TLS key was taken at the same time the data center was exploited.
“However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
If what they claim happened is true, then the NordVPN breach will have little if any impact on users and their information. However, the NordVPN breach happened more than a year ago, but the company wasn’t notified until recently. This will undoubtedly spark discussions about tech security, especially since many VPNs are used to hide the identities of the user who download terabytes of illegal content.