ONE OF THE BIGGEST and most trusted VPN providers, NordVPN, has admitted a server it was renting was hacked last year
NordVPN went public after security researchers made accusations on Twitter that the Panama-based firm was sitting on an attack.
The hackers got to a single server at a data centre in Finland, rented to NordVPN in March 2018.
Given that NordVPN’s entire business model is based on protecting peoples’ privacy, that’s a bit of a hairy admission. The company is not only one of the most recognisable names in the field, but it’s also one of the (relatively) few services that don’t collect any data about user activity.
The spoils from the raid included an encryption key, which could have let anyone create a fake instance of the VPN service that doesn’t follow Nord’s high standards.
For its part, NordVPN lays the blame at the door of the data centre. The hacker used a remote management system for the server which had been left vulnerable by the system managers. NordVPN adds that it didn’t know such a facility existed.
In a statement, NordVPN clarified: “The server itself did not contain any user activity logs; none of our applications sends user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” it told reporters.
“On the same note, the only possible way to abuse the website traffic was by performing a personalised and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
It added that the stolen key was no use to the hackers on any other server, and the company has plenty of them around the world.
NordVPN points out that it had no way of knowing about the breach, but some commentators have suggested that there is no excuse for a VPN to be insecure.
The company says it found out about the breach a few months ago but withheld the information until it could be certain that the entire network was safe before disclosing. µ