NordVPN, a well-advertised virtual private network (VPN), has admitted that a datacenter in Finland was accessed by attackers in March 2018 and that it only became aware of the fact a couple of months ago. Luckily, the affected server was the only one in NordVPN’s roster to be affected and it didn’t contain any user activity logs and no usernames or passwords would have been obtainable by attackers.
The one issue users should be aware of is that a now-expired TLS key was taken at the time of the attack which means that traffic going through that particular datacenter could be intercepted if it wasn’t secured by a HTTPS connection. In response to the breach, the firm has conducted an internal audit of its systems to find issues and plans to launch an independent external audit of its infrastructure next year.
Commenting on the issue, Daniel Markuson from NordVPN said:
“Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers. We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else.”
If you were subscribed to NordVPN around the time of the attack, it’s unlikely that you were affected by the breach but even if you did connect to the Finnish datacenter then your more sensitive site visits were likely made with HTTPS connections, giving you protection from attackers.
The revelation from NordVPN only came after the flaw was exposed on Twitter, this means the firm has known about the issue for a while now and has failed to mention it publicly, which raises questions of whether anything else is being hidden. There are many VPN providers out there so you really ought to weigh up what’s available and you’ll probably want to go with one which is quick to alert users to customer facing issues.