NordVPN, one of the highly recommended virtual network provider, has confirmed that one of its data centres in Finland was breached in March 2018 as the attacker gained access to the server by exploiting an insecure remote management system.
The issue was first highlighted by Twitter user @hexdefined on Sunday, who wrote, “NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys”.
According to the company’s statement, the breached server didn’t contain any user activity logs, and since none of its applications “send user-created credentials for authentication, usernames and passwords couldn’t have been intercepted either”.
The company rented its servers in this data centre and said that they were unaware that the provider had such a remote management system in place.
“We double-checked that no other server could possibly be exploited this way and started creating a process to move all of our servers to RAM, which is to be completed next year. We have also raised the bar to all datacenters we are working with. Now, before signing up with them, we make sure that the DCs meet even higher standards,” NordVPN’s statement reads.
NordVPN says that they learnt about the breach a few months back and immediately terminated its contract with the data centre provider in Finland.
“We did not disclose the exploit immediately because we had to make sure that none of our infrastructures could be prone to similar issues. This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure.”
According to the company, “The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse website traffic was by performing a personalised and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.”
NordVPN says that none of the other data centres was affected by the breach. They also say that they’re enhancing the security infrastructure around their product as well as preparing for a bug bounty program.
1/3 Yesterday, our marketing department got ahead of themselves and published an ad on Twitter that triggered the infosec community. The message stated the following: ‘Ain’t no hacker can steal your online life. (If you use VPN). Stay safe.’
— NordVPN (@NordVPN) October 20, 2019