Banks, credit card companies, and VPN providers are probably at the top of the list of organizations you really hope would have their security in order. NordVPN, the VPN company you've likely heard recommended by countless YouTubers, has confirmed one of its data centers was hacked over a year ago.
As far as corporate hacks go, this instance is relatively minor in scope. NordVPN confirmed that one of its rented data centers in Finland was accessed by a hacker, by exploiting an insecure remote management system operated by the data center's owner. The hacker presumably obtained root access to the server(s), as expired private keys belonging to NordVPN were released on the internet. TorGuard was compromised at the same time.
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys... pic.twitter.com/TOap6NyvNy
— undefined (@hexdefined) October 20, 2019
NordVPN says the hacked server didn't contain any logs (because the company says it doesn't log any personal data), and the private key could only have been used to perform "a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN," according to a spokesperson.
While NordVPN isn't exactly to blame for this incident, the company is still ultimately responsible for the security of its customers, and it doesn't help that it waited months after the issue was discovered (and now over a year since the event) to officially disclose the hack.
NordVPN has released a full statement on its blog, explaining that "only 1 of more than 3000 servers we had at the time was affected," and that the company immediately terminated its contract with the data center provider after it learned of the hack:
To recap, in early 2018, one isolated datacenter in Finland was accessed without authorization. That was done by exploiting a vulnerability of one of our server providers that hadn’t been disclosed to us. No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated.
Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers. We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else.
NordVPN is taking this breech seriously and has put in place a five-prong plan to avoid having a similar security issue in the future. It's partnering with cybersecurity firm VerSprite to test its infrastructure but also starting a bug bounty program in the next two weeks to reward anyone who find a vulnerability in its systems. The company will ask a third-party to conduct an infrastructure audit, and will assess the security of any vendor and datacenter it deals with. Finally, it's also planning on switching to diskless RAM servers that store nothing locally, so that any potential breech would leave the hacker with no data.