NordVPN has conceded that hackers breached a server used by the virtual network provider, but claimed that the damage done in the attack was limited.
NordVPN became aware of the 2018 attack "a few months ago", but did not disclose the exploit immediately because "we had to make sure that none of our infrastructure could be prone to similar issues", said a company statement.
"The attacker gained access to the server by exploiting an insecure remote management system left by the datacentre provider. We were unaware that such a system existed. The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either," said the statement.
"The exact configuration file found on the internet by security researchers ceased to exist on March 5, 2018. This was an isolated case, and no other datacentre providers we use have been affected," it added.
The encryption keys stolen by hackers could be used for decryption attacks on segments of NordVPN’s customer base, reported Ars Technica. The damage done by the attack might be worse than what the company portrays, reported Tom’s Guide. Peer VPN providers VikingVPN and TorGuard may also have been hit, the report added. Records posted on Twitter list TorGuard and VikingVPN as compromised.
"No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated," said the NordVPN statement.
"VPN providers have grown rapidly because of the growing need for privacy. VPN cloud providers require TLS certificates that act as machine identities to authorise connection, encryption and establish trust between machines," said Kevin Bocek, VP security strategy & threat intelligence at Venafi.
"Machine identities are extremely valuable targets for cyber criminals and large enterprises often have tens of thousands of machine identities they need to protect. These breaches will become more common in the future," he added.
A breach at a VPN brand as popular as NordVPN would have happened eventually, noted Tyler Reguly, manager of software development at Tripwire.
"NordVPN runs one of the bigger online advertising programmes with YouTube content creators that I’ve seen. They even run a page to make it simple for any content creator to become an advertiser with them," he said.
"They offer incredibly cheap three-year plans that I’m sure plenty of these channel followers have signed up for, which would translate into a very large user base. They have their social responsibility programmes that includes services like free emergency VPNs to bypass censorship and discounted VPNs for not-for-profits. When you consider both aspects of this, it makes NordVPN an interesting target for nation-states that rely heavily on censorship."