NordVPN confirmed that one of its servers was breached in March 2018 on Tuesday, and now the company has added that it wasn’t a targeted attack on them and at least two other VPN services were impacted by the same intruder.
The company also believes that other services that were renting servers from the data centre, which was breached, might have been affected too.
In an email to Candid.Technology, NordVPN’s spokesperson said, “There are no indications that any of our customers were affected and their data was intercepted by a malicious actor. The tunnel itself is safe and never been hacked. Our core databases, our code, and the service itself are also secure and have not been affected.”
The spokesperson also mentions that the breach occurred not long before March 5, 2018, when the evidence for the breach appeared in public. At the time of the breach, NordVPN had 3000 active servers, which has now increased to 5000.
“The server itself did not contain any user activity logs. None of our applications sends user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted.”
The email also mentions that NordVPN encrypts hard disk of each new server that’s built.
Though NordVPN first suspected a breach in April 2019 and stopped using those servers, they didn’t feel the need to inform their users and the public about the same until it was disclosed by several Twitter users on October 20. On the other hand, they had been aggressively advertising their VPN service in the meantime.
The virtual private network provider seems to have gone even further into damage control mode as it has indicated that two other VPN providers were breached too. In other words, the company that took more than six months to admit it after first finding about the security breach — which was more than a year after the breach — wants you to know that two other VPNs have also been breached by the same attacker and they aren’t accepting responsibility, either.
Timeline of the NordVPN breach
- January 31, 2018: Affected server is brought online.
- March 5, 2018: Evidence of the breach appears in public.
- March 20, 2018: Unauthorised access restricted as the data centre deletes the remote management system that caused the breach.
- April 13, 2019: The server is shredded, soon after the company first suspects a possible breach.
According to the company, the breached server didn’t contain any user activity logs, and since none of its applications “send user-created credentials for authentication, usernames and passwords couldn’t have been intercepted either”. The company rented its servers in this data centre and said that they were unaware that the provider had such a remote management system in place.
NordVPN has also updated its statement to reflect the new findings.
Prayank heads the Editorial at Candid.Technology. When not writing, he loves taking trips on his bikes or chugging beers as Manchester United battle rivals.
Contact Prayank via email: [email protected] or call: +91-522-4333653