This incident raised attention to the security issue. NordVPN doesn’t keep any personal data such as usernames or passwords in general. However, NordVPN claims that no user credentials were intercepted as the hacked server didn’t contain any activity log information. The breach could have enabled the hacker to gather information regarding customers’ traffic flowing through the server. The only way user data could have been stolen was via a targeted man-in-the-middle attack. Even though a TLS (Transport Layer Security) key was stolen, NordVPN clearly states that the key could not be used to decrypt any encrypted user traffic. The company states, though, that as soon as they knew about this mistake, they immediately terminated the contract with the provider. Most probably, an insecure remote management system was exploited the center knew about it but did not notify NordVPN of it. At some point, an unauthorized user accessed a server located in a Finland data center, so the blame may lie with a data center provider.
The company states that it remained silent about the breach, even though knowing about it for several months because it was important to check whether the rest of the servers were secure.įor some time, the expired internal key was exposed to the public meaning that anyone could have root access to the servers.
NordVPN, a personal VPN service provider available for Windows, macOS, and Linux, has admitted that one of its servers was hacked in March 2018, which is more than a year ago.