NordVPN, one of the world’s leading VPN providers, confirmed on Monday that one of its servers suffered a breach in 2018. This goes to show once again that 100% safety doesn’t exist, and even the most security-focused businesses may fall victim to an attack. What matters is the plan B: what happens if a hacker does manage to get access to the company’s system?
In NordVPN’s case, it seems that nothing much happened – at least for now. Let’s take a look at how the events unfolded.
How the breach happened
In March 2018, an unauthorized user gained access to a single VPN server in a Finland data center. NordVPN was renting the data center from a third-party provider. The company says the server was vulnerable between January 31, 2018, and March 20, 2018, but noted it was only breached once.
The company blames unsecured accounts in the provider’s remote management system, claiming it was unaware of their existence. NordVPN said the provider removed the compromised account without notifying them on March 20, 2018.
On the bright side, NordVPN claims its user data remained safe despite the breach. The company makes a big point of its strict policy of not logging user activity, so the Finnish server contained no such records. In an official statement, NordVPN said that “none of [its] applications send user-created credentials for authentication.” That means the hacker had no way of intercepting users’ identities, usernames, or passwords.
What they did steal from the server were TLS keys, which are now expired. NordVPN admits the hacker could have used them to perform a MITM attack on the web. However, it would have needed to be “specifically targeted and highly sophisticated.” TLS keys can’t decipher encrypted VPN traffic, so the rest of the 3000-server network remained safe.
No other data centers suffered similar attacks, NordVPN says, and it has cut ties with the company that maintained the flawed server.
After NordVPN found out about the incident “a few months ago,” it launched an internal audit of its entire infrastructure. The purpose of the inspection was making sure that none of its servers could be accessed in a similar way. The company cites the lengthy review as the reason why it didn’t disclose the vulnerability immediately. NordVPN has also promised an independent external audit of the infrastructure and a brand new bug bounty program.
What are the implications?
As VPN providers’ key mission is to safeguard privacy, this seems like a blow to NordVPN’s reputation. However, it’s the company’s pro-privacy ethos that saved its customers from having their credentials leaked. The “no-logging” policy made sure that the hacker couldn’t find any user data even after gaining access to the server. That’s precisely the extra layer of security VPN services promise.
The real issue is that some of NordVPN’s 12 million customers may now turn to other brands that don’t get the negative media attention but sacrifice their users’ privacy regularly. Many free VPN apps are owned by Chinese companies and collect user data. The ones located in the US may be compelled to share any information with the government and slapped with a gag order.
We can only hope that VPN users won’t start turning to less trustworthy services or decide they don’t need one at all. That would inflict real damage on their security.