NordVPN, a popular Virtual Private Network or VPN provider, has admitted it was hacked. Although the company’s security was breached, its data management and process policies may have ensured customer privacy remained protected and anonymous. NordVPN’s own admission follows persistent rumors about the development.
NordVPN is part of increasingly popular VPN providers. The service providers are gaining rapid acceptance across the globe since they claim to provide privacy from Internet Service Providers (ISP) and visiting sites about internet browsing traffic. In addition to journalists and activists, even regular internet users are increasingly subscribing to VPN services to ensure anonymity and protection from potential espionage and data logging attempts from multiple agencies.
NordVPN Hacked, But Customer Privacy Still Intact?
A VPN technically channels all of the users’ internet traffic through one encrypted pipe, making it more difficult for anyone on the internet to see which sites they are visiting or which apps are being used. However, many times, this process merely shifts the browsing history from the ISP to the VPN service provider.
According to NordVPN’s internal investigation, the attacker gained access to a server by exploiting an insecure remote management system left by a data center provider. The server had been active for about a month. Clarifying about the security breach, a NordVPN spokesperson said, “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
Apparently this is how NordVPN was hacked (Default credentials on an exposed iDRAC web interface) pic.twitter.com/09QCYQvBYX
— Nathan 🏳️🌈 (@NathOnSecurity) October 21, 2019
Essentially what NordVPN claims is that its security was compromised, but the attackers couldn’t have possibly been able to gain information about the company’s clients and their data that passed through the VPN. Apparently, NordVPN had expired internal private keys exposed, potentially allowing anyone to spin out their own servers imitating NordVPN. But the company assures that it is simply not possible. “The expired private key could not have been used to decrypt the VPN traffic on any other server,” claimed the spokesperson.
What’s concerning about the security breach is the timeline. The breach reportedly happened “a few months ago,” but it was intentionally not disclosed because NordVPN, “wanted to be 100% sure that each component within [their] infrastructure is secure.”
Other VPN Service Providers Besides NordVPN Attacked Too:
NordVPN claims it has a “zero logs” policy. “We don’t track, collect, or share your private data,” the company says. What this essentially means is that data encryption and transmission are dynamic, and all the traces of the data flow should theoretically be deleted immediately. While this may sound reassuring, a company that promises to “protect your privacy online,” should have better defenses. Instead, the company insists, “no-one could know about an undisclosed remote management system left by the [data center] provider.”
Two leading VPN providers admit their servers were hacked, but that’s not the strangest part of the story https://t.co/LIZO0AqHjt
— Paul Wagenseil (@snd_wagenseil) October 21, 2019
Although yet to be confirmed, several reports online claim other popular VPN service providers, including TorGuard and VikingVPN, may have been attacked and their security breached. It is not clear why the hackers are going after VPN providers. However, it is quite likely that the primary purpose is to target the service providers rather than going after individual customers. Large organizations whose primary business is offering security and anonymity would certainly be a prime target for persistent threat groups as successfully crippling their security could ruin business prospects.