This is kind of a big deal because a lot of youtubers like JayzTwoCents promote NordVPN on their youtube channels so it will be interesting to see how they handle this.

https://www.infosecshirish.com/nordvpn-finally-admits-it-was-hacked/

NordVPN is one of the VPN(Virtual Private Network) provider based in Panama. Security researchers disclose that one of the exit node of it’s network was hacked. “Exit node” is part of the service that masks user IP address. NordVPN claims “Zero log” policy. “We don’t track, collect, or share your private data. It’s none of our business.”, NordVPN says on their website.

The breach was done by exploiting a vulnerability of one of their server providers. According to their statement, “No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated.” NordVPN told that one of its data centers was compromised in March 2018. “One of the data centers in Finland we are renting our servers from was accessed with no authorization,” said one of NordVPN representative, Laura Tyrell.

To make it worse – they have only revealed getting hacked after someone literally published their private key on twitter.

The attacker exploited an insecure remote management system left by the data center provider which was active for about a month. The company said that it was unaware that such a system existed. The data center was based in Finland. Later they disclosed that the data center provider was a Finnish company called Oy Creanova Hosting Solutions Ltd. It is such a shame that that a VPN provider which claims to protect user’s data isn’t aware about it’s data centers. But Creanovs’s CEO, Niko Viskari, blamed NordVPN in and email, “They had a problem with security but because they do not take care of security by themselves, Nord was trying to put this on our shoulders”.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”, said one of the spokesperson.

They claimed to have revealed about the breach few months ago but they said that the breach was not disclosed because NordVPN wanted to be “100% sure that each component within our infrastructure is secure.”, NordVPN said “no other server on our network has been affected.”

Security researchers said, “While this is nor confirmed and we await further forensic verification, this is an indication of a full remote compromise of this provider’s systems. That should be deep trouble to anyone who uses or promotes these particular services.”

Security researchers warned that the company was paying no attention to the larger issue of the attacker’s possible access to the network. The researchers said, “Your car was just stolen and taken on a joy ride an you’re quibbling about which buttons were pushed on the radio? They spent millions on ads, but apparently nothing on effective defensive security.”

Some security researcher said it was hard to determine if attacker’s obtained user’s because the company, because the company does not collect logs of their server activity, which was actually their selling point. “I think that the worst case scenario is that they could inspect the traffic and see what kind of websites you could visit,” Okman said. He said that the company was late to inform it’s user’s about the 2018 breach because they had verify if their 5,000 had the same issue.