NordVPN breach explained in short: no, NordVPN wasn’t truly “hacked” and yes, your Internet browsing data is almost certainly still protected. That isn’t to say the incident we’re covering here amounts to nothing.
In fact, it raises some notable concerns about the manner wherein NordVPN does business and it remains to be seen how it affects the firm moving forward seeing how this industry largely revolves around one thing that was undeniably compromised following this episode – trust.
NordVPN made headlines for all the wrong reasons in late 2019 after confirming someone gained unauthorized access to one of its systems. One of the largest providers of virtual private network services on the planet immediately downplayed the gravity of the incident and went into damage control mode but the high-profile breach still left security specialists and consumers with many questions. In a way, its network framework was “hacked”, though not really, as we explain below.
Today, we’re taking an in-depth look at the controversial hack and its potential consequences for VPN users around the globe. This is the NordVPN breach – explained.
NordVPN breach: Timeline
The breach in question was revealed by (in)famous hacking collective Keksec. On October 20, 2019, the group tweeted that one of NordVPN’s expired server keys was discovered and leaked. Coupled with the fact that it expired, the main takeaway from the revelation was that anyone could have set up a server posing as NordVPN in the aftermath of the incident.
Tech media around the world promptly picked up on the story which turned into a global scandal in a matter of hours.
In a lengthy blog post published the following day, NordVPN confirmed the breach but was quick to point out that the incident affected only a single component of its comprehensive VPN network – a third-party one, at that.
More specifically, the Panama-based company revealed that a single server in Finland operated by one of its partners was accessed without authorization between January 1 and March 5 of 2018. The partner in question was soon revealed to be Oy Creanova Hosting Solutions.
The Finnish data firm waited until April 13, 2019, to inform NordVPN of the breach. In response, the VPN provider immediately terminated its contract with the company and launched an investigation into the incident, the company said at the time. NordVPN still waited more than half a year before acknowledging the episode, having only done so after the aforementioned hacking collective openly mocked its claims of bulletproof security on Twitter, thus kick-starting this whole mess.
On October 22, 2019, NordVPN advisor Tom Okman claimed the company did not disclose the breach sooner because it was still wrapped in its internal review. The industry veteran argued NordVPN wanted to be certain no other servers were affected before going public with its findings, which is why it supposedly contacted “hundreds and hundreds of data centers all around the world” before announcing what it knows.
If that sounds just a tad bit convenient for NordVPN, that’s probably because it is. Today, nearly half a year after the ordeal originally became public, there’s no indication NordVPN would have disclosed the hack had Keksec not surfaced it for them – even as they claimed they weren’t responsible for it.
Credit where it’s due, however: the international VPN provider did a decent job of placing a positive spin on the scandal, declaring the incident allowed it to tighten its infrastructure policies and bolster its security across the board.
In other words, it placed the blame entirely on Creanova. Truth be told, that wasn’t particularly hard to do given how someone at NordVPN’s former hosting partner apparently misconfigured an account which allowed it to be compromised and eventually led to an unknown party gaining access to the server, brief as it may have been.
A week later, on October 30, NordVPN announced a partnership with Atlanta, Georgia-based cybersecurity consultants at VerSprite, stating the collaboration will result in more robust penetration testing of its network moving forward.
NordVPN breach: Scope
- 1 server in Finland (out of 3,300+ globally)
- Transport layer security (TLS) and OpenVPN Certificate Authority keys stolen
- NordVPN + two other VPNs had infrastructure intruded upon
- Not a targeted attack
- No sensitive user data compromised
- NordVPN usernames and passwords remain safe
- Compromised server contained no temporary activity logs
- No evidence the intruder attempted monitoring server traffic
In short, while the incident certainly generated some concerns about NordVPN’s business practices that we’ll analyze in a bit, its immediate material consequences aren’t particularly notable. If you fear your user credentials, identity, or browsing history were somehow leaked in the aftermath of the breach, that’s fortunately not the case – statistically, at least.
A small subset of NordVPN customers who were assigned one specific IP based in Finland in March of 2018 may have had their activity monitored in real time by an unauthorized third party for a brief period.
Naturally, it’s important to note there’s no evidence of that being the case. As far as the company’s concerned, its hosting partner messed up a configuration of a single device on its network, which led to an intruder infiltrating the said server.
The now-long-expired encryption key that was stolen could not have been used for accessing any other server in the NordVPN’s international network spanning some 3,300 units, according to the firm. While the VPN provider claimed any attacker would have extreme difficulties with leveraging this attack vector in order to spy on its users, some cybersecurity experts disagreed.
NordVPN practices a no-logging policy, meaning its customers should be safe from government data requests because there’s nothing to request – in theory. Yet that obviously doesn’t amount to much if you’re able to penetrate one of its server nodes used for encrypting and anonymizing traffic.
By stealing a server’s TLS key and pairing it with an OpenVPN CA key that’s also alleged to have been compromised as part of the breach, unauthorized third parties could have set up their own servers posing as part of the NordVPN network. That would essentially amount to a highly advanced version of a man-in-the-middle attack, albeit one whose instigators would be hard-pressed to target more than a single user whose traffic was being rerouted via the compromised server.
While NordVPN found no indication of anything of the sort occurring, that doesn’t exactly inspire confidence in privacy-mindful individuals paying for VPN services. Which leads us to the final takeaway from this complicated matter.
A disheartening cover-up
A VPN provider that hides a security breach from its customers until hackers literally post its server keys on social media is as close to a giant red flag as you can get in this industry.
The manner wherein NordVPN handled the situation left a bitter taste for many. “We decided we should not notify the public until we could be sure that such an attack could not be replicated anywhere else on our infrastructure” – wrote the company’s resident privacy specialist, Daniel Markuson.
How convenient that NordVPN’s internal audit concluded no such risks existed mere hours after social media users started ridiculing its server security practices with Ice Cube GIFs and some 18 months after the original breach, right? Surely there’s no way the company would have stayed silent had the proof of the incident not surfaced online?
Sarcastic rhetorics aside, what’s disheartening about the NordVPN breach is that if one of the world’s largest VPN providers can’t be trusted to remain transparent even when it comes to objectively minor security lapses of no significant consequence, how can consumers trust it to do the right thing when something much more dire happens?
Worse still, if this is how one of the industry leaders behaves, what can one expect from comparably smaller VPNs forced to cut corners to compete?
Neither of those questions has pleasant implications but regardless, one thing is certain – even if NordVPN’s system wasn’t truly “hacked” on any significant scale, the company isn’t leaving this ordeal looking any better in the eyes of security experts and customers.
“NordVPN Breach Explained” was written by Dominik Bosnjak, a long-time VPN-user-turned-advocate who spends more time scrutinizing VPN Providers on a daily basis than he’d like to admit. When he isn’t writing VPN Guides and covering general Tech News, he’s probably spending time with his dog, video games, or both. Fun fact: the Shih Tzu in question is the only remaining creature in Dominik’s life who hasn’t told him they’re sick of him talking about Best VPN practices and government-sponsored erosion of digital privacy which made using the Internet less convenient over the years. He occasionally dabbles in video editing, Wall Street memes, and demonstrating a remarkable lack of guitar-playing ability.
If you want more tidbit-sized rants about any of those things, you can find him on Twitter @dddominikk.