Unveiling the NordVPN Breach: A Detailed Timeline and Key Facts Ensuring Network Safety
Timeline: Here is a comprehensive timeline of events surrounding the NordVPN server incident:
- January 31st, 2018: The affected server goes online.
- May 3rd, 2018: Initial evidence of the breach emerges, suggesting it likely occurred around March 5th, 2018.
- March 20th, 2018: The breach is contained when the data center eliminates the undisclosed insecure management account.
- April 13, 2019: NordVPN is notified about the breach and promptly destroys the compromised server.
Key Facts: Below are crucial facts pertaining to the NordVPN breach:
- Limited Impact: Only one server located in Finland was affected in March 2018; the rest of the service remained unaffected. Other server types were not exposed to any risks. The breach solely targeted a specific server and not the entire NordVPN service.
- Third-Party Configuration Failure: The breach was facilitated by inadequate configuration at a third-party data center, which NordVPN was not informed about. Evidence suggests that upon discovering the intrusion, the data center deleted the accounts responsible for the vulnerabilities instead of notifying NordVPN. NordVPN terminated the server and its contract with the provider as soon as the breach was discovered, initiating an extensive audit of their service.
- User Credentials Secure: No user credentials were compromised during the breach.
- No User Traffic Monitoring: There is no indication that the intruder attempted to monitor user traffic. Even if they had, they would not have obtained access to user credentials.
- TLS Key Acquisition: The attacker did acquire TLS keys, which, in highly sophisticated and targeted MITM (Man-in-the-Middle) attacks, could potentially be used to target a specific individual’s web activity. However, these keys are unable to decrypt any encrypted NordVPN traffic.
- Non-Targeted Attack: Two other VPN providers were also affected by attacks carried out by the same intruder. This suggests that the breach was not specifically targeted against NordVPN.
- No User Activity Logs: The incident revealed that the compromised server did not contain any user activity logs. NordVPN takes extensive measures to prevent similar incidents, including encrypting the hard disk of every new server constructed. The utmost priority is placed on customer security, and NordVPN continuously strives to elevate their standards.
The NordVPN breach incident is presented here with a clear timeline and essential facts to reassure users of the network’s safety.
The Complete Account: Understanding the NordVPN Incident and Technical Details:
Several months ago, we discovered an incident that occurred in March 2018 involving unauthorized access to a server at a datacenter in Finland, from which we had been renting servers. This breach occurred through an insecure remote management system account added by the datacenter without our knowledge. Rather than notifying us, the datacenter chose to delete the user accounts that the intruder had exploited.
It is important to note that no user activity logs were found or accessed during this breach since we do not maintain such logs. User identities, usernames, and passwords were not compromised as our applications do not send user-created credentials for authentication.
While the intruder did acquire an expired TLS key, it is essential to understand its limitations. This key can only be utilized for web-based attacks targeting specific individuals and requires exceptional access to the victim’s device or network. Such an attack would be highly challenging to execute, and it is crucial to emphasize that the TLS key, expired or not, could not be used to decrypt NordVPN traffic in any manner.
This incident was an isolated case, and no other servers or datacenter providers we utilize have been affected.
Upon discovering the breach, we immediately terminated our contract with the provider and eliminated the server, which had been operational since January 31, 2018. Subsequently, we conducted a comprehensive internal audit of our entire infrastructure to ensure no other servers were susceptible to similar exploits. However, reviewing the multitude of providers and configurations for over 5,000 servers worldwide necessitated significant time. We decided to delay public notification until we could guarantee the non-replicability of such an attack across our infrastructure. Furthermore, we have raised our standards for current and future datacenter partners to prevent any similar breaches in the future.
Our foremost aim is to provide accurate information to our users and the public, allowing them to comprehend the extent of the breach and what was truly at risk. While the breach only impacted one out of over 3,000 servers we had at the time, and for a limited duration, we acknowledge that this represents an inexcusable mistake that should never have occurred. We are committed to strengthening our security measures and ensuring the protection of our customers.
Since the discovery of the breach, we have implemented numerous measures to enhance our security protocols. These include undergoing an application security audit, undertaking a second no-logs audit, and preparing a bug bounty program. Additionally, we are committed to conducting an independent external audit of our entire infrastructure next year.
Our primary objective is to inform and educate the public about this breach. Only by doing so can we recover from this significant setback and fortify our security further.
NOTE: Post updated 10/25/2019.
UPDATE (10/26/2019): We have released a comprehensive NordVPN security plan outlining our efforts to enhance security following this incident.
NordVPN: Addressing the Hacking Concerns and Ensuring Ongoing Security
UPDATE (11/13/2020): NordVPN remains uncompromised, with no evidence of any user data being hacked during the incident. Our service is currently operating with full security measures in place.
As time has passed since the security issue arose, it is essential to reiterate several crucial points:
- No Evidence of User Data Compromise: There is no evidence to suggest that any user data was affected. It has been over a year since the incident was resolved, and no subsequent findings have emerged to indicate otherwise. We want to reassure our users that their data remains secure.
- Swift Resolution and Ongoing Security: As soon as the issue was detected, immediate action was taken to address it. We have implemented comprehensive measures to prevent a recurrence of this vulnerability. Our processes have been updated to fortify our defenses and ensure that such vulnerabilities cannot be exploited in the future.
- Enhanced Security Measures: Building upon the lessons learned from this incident, we have proactively undertaken various steps to significantly strengthen our overall security posture. In particular, we have successfully launched a bug bounty program, which encourages external security researchers to identify and report vulnerabilities. Additionally, we are in the process of transitioning to colocated servers, a move that will provide us with greater control and security. We have several other projects underway, focused on enhancing our security infrastructure, and we will share more details when the time is appropriate.
We understand the importance of maintaining the trust of our users and the wider community. While the past incident was a significant challenge, we have used it as an opportunity to improve and exceed the security standards required. We remain committed to providing a secure and reliable VPN service.
At NordVPN, safeguarding user data and privacy is our utmost priority. We will continue to invest in advanced security measures, perform regular audits, and collaborate with external experts to ensure the highest level of protection. Rest assured that we are unwavering in our commitment to your security.
We appreciate your continued support and trust in NordVPN.
Note: This article will be updated with any new information or developments regarding our security initiatives.