One of the world's most popular virtual private network providers, NordVPN, announced on Monday that one of their servers, managed by a third party, was breached back in 2018. According to the company, none of the user credentials were affected, and they are taking measures to improve their security.
No user data affected
As organization breaches go, NordVPN's server breach is a considerably minor one. There are no signs that the cybercriminal would have been able to access any customer credentials or monitor their traffic in any way. And all of this due to the company's strict no-log policy.
"The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted either," says NordVPN's official statement.
The cybercriminal was able to obtain expired TLS keys that could have been used in a sophisticated man-in-the-middle attack only. However, the key couldn't possibly have been used to decrypt any of the user data.
The company which experienced the hack was a third-party data center rented by NordVPN, not the VPN provider itself. The hacker was able to breach one of the servers due to poor configuration of the unnamed data center.
An unauthorized user breached one of the servers in Finland back in March 2018. None of the other company's servers at the time were affected. The attack was not targeted against NordVPN specifically - two other companies suffered from the same attack.
Measures to safeguard data
The VPN provider only became aware of the breach in January, since the datacenter managing the servers had deleted the accounts that caused the vulnerability, instead of notifying NordVPN. Once informed, the VPN provider immediately ceased using any servers provided by the data center and terminated their contract.
The admission comes after allegations about the breach were made on Twitter over the weekend. NordVPN did not notify it's customers immediately because they are in the process of internal security audits, aiming to ensure that the incident could not be replicated. NordVPN stated that they are preparing for a second no-logs audit and developing a bug bounty program. Additionally, the company reports that they increased the standards for their data centers even further, ensuring that an event of this kind would not happen again.
"We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit of all of our infrastructure," the company stated in their blog.