NordVPN Had Private Keys Stolen after Server Breach (Updated)

Home > News >

NordVPN has confirmed that one of its servers was compromised in a hack early last year. The attacker gained access to a TLS encryption key which could be used to impersonate the site or a VPN server, using a targeted man-in-the-middle attack. The key could not be used to decrypt regular VPN traffic.

VPN service provider NordVPN was the victim of a server breach early last year, the provider has confirmed.

The news was made public following a series of tweets from hacker / web developer ‘undefined.’ These were picked up by Ars Technica and CNET, among others.

The hack in question targeted a single server at a third-party datacenter. The attacker reportedly compromised the server by exploiting an insecure remote management system, which NordVPN wasn’t aware existed at the time.

By compromising the server the attacker gained access to three TLS keys that would allow this person to operate a fake site or VPN server, using a man-in-the-middle attack. NordVPN stresses that it doesn’t keep user logs and that it wasn’t possible to use the keys to decrypt regular VPN traffic or previously recorded VPN sessions.

The server in question was compromised early 2018 but NordVPN didn’t disclose it at the time. The company now says that it chose not to do so because it had to make sure that none of its other infrastructure was prone to similar issues.

Following the news reports, NordVPN published its own account of what happened and how this affected its users. The company stresses that the breached keys have since expired (they were initially active) and could never be used to decrypt VPN traffic of users.

While the compromised TLS keys couldn’t decrypt VPN traffic, a server breach is of course always a big event of course. Especially in the VPN industry, where trust in a company is extremely important. That the effect appears to be limited here is a good thing, but that doesn’ change the fact that the server was hacked.

While NordVPN stresses that the hack only had a minimal impact, it recognizes that security is a vital issue, and that it should do better going forward.

“Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers,” NordVPN says.

“We are taking all the necessary means to enhance our security,” the company adds.

NordVPN further informs TorrentFreak that it always treats VPN servers as the least secure part of their infrastructure, since breaches are always possible. This means that VPN endpoints do not contain any “vulnerable information,” nor do they provide access to the rest of the infrastructure or a user database.

If anything, this episode shows that 100% security is nearly impossible. In addition to the NordVPN hack, competing services TorGuard and VikingVPN also suffered breaches, according to reports. TorGuard previously confirmed this a few months ago.

Update: Ars Technica reports that some user accounts have leaked as well. This doesn’t indicate that any NordVPN servers were breached, but users are probably wise to update their credentials, especially if these are used elsewhere.

Disclaimer: NordVPN is one of our sponsors. This article was written independently, as all of our articles are.


Popular Posts
From 2 Years ago…