NordVPN Data Breach 2019: What You Need to Know

November 26, 2019

hands typing on a keyboard, data breach symbolized by lock symbols

NordVPN, the highly-rated virtual private network, became a source of breaking news recently when a major data security breach was revealed. 

This breach may leave people wondering what exactly is a VPN (a virtual private network) and what does it mean that one has been hacked? 

Simply, VPNs play a critical role in internet privacy. 

When a person browses the internet, each site visited is seen and logged by that provider. Some providers then give this personal information away to a variety of third parties. This is where a VPN comes in. 

A VPN encrypts all the data associated with a person’s internet use and makes it impossible to trace it back to them. Even if a hacker intercepts this information, it will look like gibberish. 

Did NordVPN Get Hacked?

The NordVPN hack has been confirmed and is thought to have occurred on March 5, 2018, at one of their contracted remote servers in Finland owned by Creanova Datacenter. Creanova immediately deleted the accounts that had launched the NordVPN cyber attack. 

Yet, they neglected to inform NordVPN of the breach until April 13, 2019. 

Upon finding out about the breach over a year later, the server was immediately destroyed, they canceled the contract with Creanova, a comprehensive security audit ensued, and they made a promise to increase security efforts going forward. Although they found out about the hack in April, they did not confirm it until October 21, 2019. 

This inappropriate delay in confirmation is reportedly due to the scope of the internal review of the company’s infrastructure. According to Tom Okman, a member of NordVPN’s tech advisory board, the internal review needed to be completed before any information could go public.

Who Was Affected?

The scope of the information accessed in the NordVPN security breach was minor. The service itself, the code, and the VPN tunnel were not hacked and their apps remain unaffected. 

What the hacker stole wasn’t usernames or passwords but NordVPN’s TLS key and the OpenVPN CA key onboard their server. The company insists all customers are safe; that no sensitive data was actually divulged, but some experts aren’t so sure. 

The hack has been compared to a stolen car being taken for a joy ride and then abandoned. And that's never a good feeling.

The worst case is some customers have been tricked into connecting to a phony server that is potentially now funneling all their information to third party hackers. The best that could have happened is no customer data has been stolen. 

In sum, the question of the scope of the damage still remains.

When Was NordVPN Hacked and How Did It Happen?

The first evidence on the internet about the stolen TLS key was back in May of 2018 in a post on 8chan. On October 20, 2019, a discussion of the NordVPN breach swelled on Twitter. 

The web developer who began the Twitter discussion said the TLS key had been circulating the web unnoticed for months. This virtual key is not very useful when it comes to decrypting large amounts of encrypted traffic that belongs to NordVPN. It can be used to decrypt one individual’s data. 

NordVPN claimed the process the hacker would have to go to carry this out is extremely complex and difficult. This claim is not exactly true, a security consultant said intercepting TLS traffic is not nearly as difficult as NordVPN would like the public to think. 

The hacker claims they not only stole the TLS key but also took the OpenVPN CA key. This key could be used in conjunction with the TLS key to spy on more than one user at a time by creating rogue VPN servers to trick multiple users into connecting to them. 

NordVPN’s Response

NordVPN has said the security breach was minor, but they are not trying to downplay the gravity of the situation. According to a company official, “Only 1 of the 3,000 servers we had at the time was affected… We failed by contracting an unreliable server provider.” 

Now, as a response, they are upping their security efforts. Tom Okman told CNET the company is raising standards for their contracted data centers. Okman says they agree better security practices could have been in place. NordVPN is now taking steps to prove they will live up to their promise to provide “secure and private access to the internet.” 

What Exactly Does Tighter Security Look Like?

NordVPN penetration testers will work with VerSprite (a cybersecurity team) to perform system-wide testing and analysis seeking out any remaining vulnerabilities that could easily be exploited and destroy them. 

Additionally, they will replace all their inventory with diskless servers. This way nothing will be stored on-site and even if a server falls into the wrong hands’ nothing will be found in it. NordVPN also plans to create an independent cybersecurity advisory committee to keep a better watch over these things moving forward. 

What We've Learned 

Internet privacy and data security are absolutely vital. 

Although it is troubling to hear about a top-rated VPN failing to protect its users’ activity logs, there are three important lessons to learn from this security breach. 

Lesson 1: Beware Of Phony Servers

NordVPN customers should reach out to the company to verify they are connected to their server and not a phony server that is stealing their information. NordVPN claims they have verified that no data was stolen–but that statement is heavily disputed.

Lesson 2: Know Your VPN Service’s Security Strength

In the wake of the attack, NordVPN has made plans to step up its security efforts in meaningful and significant ways. This is important; NordVPN wasn’t the only VPN service that was hacked–and moving forward security will be of the utmost importance for these services.

Lesson 3: Choose Your VPN Service Carefully 

Many VPN services (NordVPN included) take their customers’ security and privacy seriously, but not all of them are high-quality providers. 

When looking for a VPN provider make sure to keep an eye out for these red flags:

  • The provider has lackluster security and privacy features.
  • The company’s reviews contain complaints of slow speed and spotty connection.
  • Websites blocked by the government or any region-locking system can’t be unblocked.
  • A VPN claiming it is ‘free.’ A ‘free’ VPN isn’t really free, these companies will take customer data and use it for their financial gain instead of charging a fee. 

To learn more about Arctic Wolf or to schedule a demo, reach out to our team to get started. 

 

 

 

Previous Article
Ransomware: Dispelling the Myths Webinar
Ransomware: Dispelling the Myths Webinar

Next Article
Introducing Account Takeover Risk Detection: Sizing Up Your Company’s Corporate Credential Exposure
Introducing Account Takeover Risk Detection: Sizing Up Your Company’s Corporate Credential Exposure

×

Want cybersecurity updates delivered to your inbox?

First Name
Last Name
Company
!
Thanks for subscribing!
Error - something went wrong!