NordVPN, a highly recommended virtual private network provider that stresses on the importance of a safe, secure and privacy intact platform, just admitted that one of its servers was breached by an unknown hacker.

This has left many users second-guessing if NordVPN is as good as it claims, and also if this security breach defeats the purpose of using a VPN.

To make matters worse, NordVPN’s credibility took a hit after a hacker leaked the news of the breach via a tweet on October 22. With the resulting statement, it became clear that even though the company was aware of the breach, it failed to inform users or make this information public.

The claim was further substantiated by evidence that showed all the codes used when the attack took place.

Why Do People Use VPNs

Virtual Private Networks provide you with an anonymity tag by creating a secure connection to another computer. 

In short, VPNs are used to shield your browsing activity from your internet service provider and from the sites you visit so you can access region-restricted content. This is done by channeling you through an encrypted pipe that makes it nearly impossible for people to view your activity – the websites you visit, the apps you use, etc.

However, it’s easy to forget that your activity can be viewed by your VPN provider – and this raises a valid concern for many; what if the VPN provider is keeping a log of all visited websites by a user.

What We Know So Far

NordVPN has remained steadfast in its claim of a zero log policy where users data is never recorded or shared with third-parties.

The security breach took place last year in March 2018 and it came into the provider’s notice a couple of months later. At that point, NordVPN did not make the breach public because it wanted to assess the situation properly and see if all security measures were still intact.

Here’s how the attack happened; NordVPN was renting out servers from a Finland-based data center and a hacker gained unauthorized access to it by exploiting a remote management system installed by the data center provider and acquired their TLS Keys.

Since the server had no logs of user activities and their own applications do not send user log-in details and passwords for authentication, the hackers could gain access to them. Despite this, a slight chance did remain that they could plan a highly complex man-in-the-middle attack to gain access to one connection.

The acquired TLS certificates have now expired, but they were functional at the time of the breach – the hacker could have gained full access to the affected server and could have accessed real-time data.

Why Is Nord Persistent On The Fact That No Harm Was Caused

The breach was just consolidated to one server and once it was highlighted, NordVPN terminated the server and rental agreement with the data center. As such, the TLS Certificate in question did not have the ability to decrypt current or past VPN before they expired.

To amplify its security, Nord then cross-checked all its servers to detect any existent vulnerabilities and to see if any other server had allowed unauthorized access. 

As per the official statement: “Since the discovery, we have taken all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program.”

What Is The Expert Opinion

NordVPN did have an intrusion detection system, but this breach was quite unprecedented as it was a fault on the server provider’s end.

However many users are still left in doubt; does a VPN actually maintain their anonymous status or not?

All in all, the team at NordVPN could have avoided the negative image if they were more forthcoming – rather than releasing a statement only after the breach was made public by a third-party.

Mark Coulman
About Mark Coulman

Cybersecurity expert with a keen interest in technology and digital privacy. Mark has more than 14 years of experience in creating and managing various reliable WEB applications for IT companies in the EU and the US. Loves 3-4 letter words like PHP, XML, HTML, CSS, DB2, ASP, CRM, ERP, SAP, etc.