- NordVPN picked the wrong data center provider and is now paying it with negative publicity.
- A malicious actor has compromised the unprotected server and had it running for a full month.
- NordVPN knew about this since a few months ago, but they opted not to disclose it yet.
NordVPN, one of the most trustworthy VPN solutions out there, has just confirmed that they were hacked after compelling evidence was published by a Twitter user called “undefined” a few hours ago. As the hacker points out, whoever compromised NordVPN had root access to a container server, which means full control. The hacker also suggests that TorGuard, VikingVPN, and OpenVPN also had their server keys and TLS certificates stolen in the past, but there’s no official confirmation about this yet. Long story short, whoever had the expired internal keys exposed could launch their own NordVPN server clones with all that this entails for the users of the popular service.
Apparently other VPN providers were also compromised: https://t.co/RoDRLQlYUK
— undefined (@hexdefined) October 21, 2019
Did this actually happen, and have people fallen victims of such a nasty Man in the Middle attack? In their official response, NordVPN tries to ease the fear about the incident by stating that the server which was compromised did not contain any user activity logs or user credentials, so no critical stuff could have been intercepted by the malicious actors. Moreover, they clarify that this was an isolated case, as one of their datacenter providers has left a remote management system unprotected by mistake. That said, all of the three thousand other datacenters used by them are perfectly safe, and have been safe all along. NordVPN says they double-checked that, so we don’t have any reason to dispute them.
NordVPN states that they became aware of the compromise a few months ago, but decided not to disclose the incident immediately because they wanted to make sure that no other parts of their infrastructure had been compromised. The company is attributing this delay to a large number of servers and the complexity of their infrastructure. Of course, disclosing it now that the “undefined” hacker published his/her discoveries isn’t helping a lot with maintaining a trusting rapport with their customers. As much as bad news this would be for its users, and as damaging as it would be for their business, we would have preferred NordVPN to disclose the incident much sooner.
Recently, NordVPN completed an in-depth penetration-testing security audit by VerSprite, and they are currently undergoing their second no-logs audit, so the software is still very robust and without a doubt, one of the best in the field. Still, having 0.03% of your infrastructure compromised can have a long-lasting harmful effect on your reputation.
Update: TorGuard has also admitted that its VPN services were compromised in September 2017. They traced the actor to an 8chan user who used expired ghostbin links to prove his crime. However, and because TorGuard was using secure PKI management, its main CA key was not affected. The team of the popular VPN service realized the breach in May 2019 and figured that they had already removed the hosting reseller from their network due to other incidents.