NordVPN confirms 2018 data centre breach

Personal virtual private network provider admits to a breach in March 2018 but claims no data was exfiltrated

NordVPN has admitted it was hacked in March 2018, after rumours circulated around a data breach the virtual private network (VPN) service provider had suffered. 

The company said that an expired internal private key, a tool that provides and secures machine identity, became exposed earlier this year, allowing for the construction of insecure NordVPN imitation servers.

Despite touting its VPN services as "a hack-proof, encrypted tunnel for online traffic to flow", an attacker accessed a data centre hosting NordVPN servers. 

By exploiting a remote management system left by the Finnish data centre provider, which NordVPN was not aware existed, the hacker managed to gain access to one of its servers which had only been active for about a month. The server essentially gave the hacker access some of the encryption keys that secure NordVPN user data. 

The company's blog post responding to the data breach claims: "No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated."

While the breach occurred more than a year ago, NordVPN only discovered it "a few months ago", and had not revealed its existence until recently due to security concerns. 

"We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn't be done quickly due to the huge number of servers and the complexity of our infrastructure," the company said. 

VPN providers, which protect a customer's browsing traffic privacy from the internet provider and visiting sites, continue to gain popularity, particularly among journalists and activists working in hostile states.

VPNs make tracking a customer's internet and app usage more difficult by channelling their traffic through one encrypted pipeline, which typically relocates their browsing history from their internet provider to their VPN provider. This function has brought VPNs under increased scrutiny, as it is unclear whether each provider logs users' internet history.

"We don't track, collect, or share your private data," NordVPN claims. "It's none of our business."

For this reason, spokesperson Laura Tyrell told IT Pro, "even if the hacker could have viewed the traffic while being connected to the server, he could only see what an ordinary ISP would see, but in no way could it be personalised or linked to a particular username or email."

However, an anonymous security researcher told TechCrunch: "While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider's systems. That should be deeply concerning to anyone who uses or promotes these particular services."

In the wake of the breach, NordVPN reported it is "taking all the necessary means to enhance [its] security", including pursuing application security and no-logs audits as well as launching a bug bounty programme. Next year, the company plans to launch an independent external audit of its entire infrastructure.

Data security researchers project that similar breaches of machine identity will become increasingly common.

"It is imperative organisations have the agility to automatically replace every key and certificate that may have been exposed in breaches," said Kevin Bocek, vice president of security strategy and threat intelligence for Venafi.

"Quickly replacing machine identities is the reliable way to ensure privacy and security in a world where businesses run and depend on the cloud."

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now

Recommended

Russia hacked Liam Fox's personal email to steal trade documents
phishing

Russia hacked Liam Fox's personal email to steal trade documents

4 Aug 2020
British teenager charged over Twitter hack
hacking

British teenager charged over Twitter hack

3 Aug 2020
Mid-year report says vulnerabilities up 22% in 2020
hacking

Mid-year report says vulnerabilities up 22% in 2020

30 Jul 2020
BlackRock banking Trojan targets Android apps
trojans

BlackRock banking Trojan targets Android apps

27 Jul 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do I fix the Windows 10 Start Menu if it's frozen?
operating systems

How do I fix the Windows 10 Start Menu if it's frozen?

3 Aug 2020