Virtual Private Network “NordVPN” Hacked

Laura BednarData BreachesLeave a Comment

NordVPN Server Hacked

Ironically, the virtual private network NordVPN that was created to ensure browsing privacy, has been hacked. NordVPN, like all VPNs, channels internet traffic through one encrypted pipe, making it difficult for outsiders to see what sites a user visits. Users who want some level of privacy when surfing the web, as well as journalists who are working in dangerous areas utilize this tool.

The company claims they have a “no log” policy to further support their goal of private browsing and doesn’t collect or share personal data. However, the recent breach gave hackers the opportunity to access whatever data was stored on their off-site server.

Contact Us Now

Long Time Breach Confirmed

NordVPN was quoted as saying they knew one of their data centers was accessed only a few months ago, but the breach itself occurred in March of 2018. The company was renting the affected servers from a data center in Finland. They waited to bring it into the public eye until they were sure each part of their infrastructure was secure.

The hacker exploited an insecure remote management system that the data center provider installed on the server. The server that was compromised did not contain any activity logs as none of their applications require user-created credentials for authentication. NordVPN assured consumers that the expired private key that was exposed couldn’t have been used to decrypt traffic on any other VPN server.

That still leaves the hackers with close to total control over the compromised server. By stealing encryption keys, the criminals could easily:

  • Read or modify any data stored on the server
  • Impersonate the site with a compromised certificate and enact man-in-the-middle attacks on users visiting the legitimate site
  • Use the keys on their own servers to intercept and decrypt data

Reacting to Privacy Concerns

A security researcher said that this breach was indicative of a full remote compromise of the NordVPN systems. The company claimed it had installed intrusion detection systems but had no way of knowing about an undisclosed remote management system left by the data center provider.

The only way the hackers could have abused the website traffic was by performing a personalized man-in-the-middle attack. This involves intercepting an individual connection and looking through that connection’s traffic to see where they were.

Our Director of Forensics at SecureData, Allan Buxton, said there are a few scenarios regarding the breach that are worth exploring:

  • The data center was targeted and their insecure remote management utility led to NordVPN’s victimization
  • VPN Tor is suing NordVPN, which suggests there may be some attribution or retribution going on between VPN competitors
  • There is a possibility that a state is targeting privacy services

Buxton said, “It’s too early to say without more details, but in the meantime, customers relying upon NordVPN’s services are the real victims.”

Securing Servers

While some of the advantages of offsite servers include speed, cost value, and managed storage service, there are many disadvantages, as evidenced by the recent breach. The offsite server storage must behave security and privacy rules in place and the storage facility and employees must follow these compliance guidelines. It was reported that those in charge of the data facility added the remote management system without notifying NordVPN.

If your servers, computer systems, or even individual devices have been compromised or breached, call our team at Secure Forensics. The certified examiners can find the source of the data breach, what information was exposed, and who the responsible party is. Learn more about our digital forensics services at 1-800-288-1407.