NordVPN has suffered a breach involving a Finland-based server, but login credentials and identifiable user traffic were not intercepted, the company says.
The same hacker also hit rival VPN providers TorGuard and VikingVPN; TorGuard is downplaying the severity of the breach.
In the case of NordVPN, the breach occurred in March 2018 at a Finnish data center from which NordVPN was renting servers. "The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed," NordVPN said in a Monday statement.
NordVPN has a strict policy against keeping user traffic logs, so "the server itself did not contain any user activity logs," it said. "None of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted either."
Although the Finnish data center quietly patched the vulnerability in the same month, the hacker stole a NordVPN Transport Layer Security (TLS) key, which was used for encryption over the company's website and extensions. However, the key was never used to encrypt user traffic on the VPN server, the company told PCMag.
Stealing the TLS key did open the door for what's called a "man in the middle attack," which can expose your traffic, unencrypted, to the hacker. But pulling off such a scheme wouldn't necessarily be easy. It would require the creation of a dummy NordVPN client or website, and then tricking a user into using it, which ultimately would have only victimized one computer.
The exposed TLS key also expired in October 2018. As a result, using the key certificate would have eventually displayed a warning on the user's computer about the expiration date.
So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys... pic.twitter.com/TOap6NyvNy — undefined (@hexdefined) October 20, 2019
News of the breach first emerged over the weekend when a web developer tweeted that a NordVPN TLS key had been circulating on the internet, largely unnoticed. The stolen key was posted in May 2018 by an anonymous user on the forum 8chan, who also claimed to have breached servers at TorGuard and VikingVPN.
What's troubling about the 8chan post is how it indicates the hacker gained root access to the affected NordVPN server. In other words, the mysterious attacker could have briefly viewed and modified all the aggregate traffic on the machine when the breach occurred in March 2018.
The same 8chan post also indicates the hacker stole the OpenVPN Certificate Authority (CA) key on board the NordVPN server, which is used to validate the encrypted connections between a VPN server and the user's computer. As a result, the hacker could have used the key to create rogue servers that would have successfully connected to NordVPN's official network. If you happen to connect to the rogue server, the hacker would be able to see all your traffic as well.
In response to these potential dangers, NordVPN told PCMag: "Even if the hacker could have viewed the traffic while being connected to the server, he could see only what an ordinary ISP (internet service provider) would see, but in no way it could be personalized or linked to a particular user."
While the Finnish data center patched the vulnerability with the remote management system on March 20, 2018, it apparently never notified NordVPN about the problem. NordVPN said it learned of the incident a few months ago.
"We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues," the company said in today's statement. "This couldn't be done quickly due to the huge amount of servers and the complexity of our infrastructure."
In response to the breach, NordVPN has terminated the company's contract with the Finnish data center. All servers it had been renting from the center have also been destroyed. "Even though only 1 of more than 3,000 servers we had at the time was affected, we are not trying to undermine the severity of the issue," the company added. "We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers."
As for TorGuard, the company also confirmed today it had suffered a breach. However, no Certificate Authority key for validating encrypted connections was ever stored on board the affected VPN server. "We operate this way so if a worst-case scenario occurs and a VPN server is seized or even compromised, no one can tamper with or decrypt user traffic, or launch Man-in-the-Middle attacks on other TorGuard servers," the company said in a statement.
It's unclear when the TorGuard breach occurred, but it involved a single server at a third-party provider, which removed the affected hardware in early 2018.
The hacker did steal a TLS key for the domain torguardvpnaccess.com, but it has not been valid for the TorGuard network since 2017, the company says.
TorGuard said it became aware of the breach in May due to the company's ongoing lawsuit over an alleged blackmail attempt from NordVPN over how it found TorGuard server configuration files on the internet.
"Due to the ongoing lawsuit we cannot provide exact details about this specific hosting re-seller or how the attacker gained unauthorized access," the company said. "However, we would like the public to know this server was not compromised externally and there was never a threat to other TorGuard servers or users."
The third VPN provider the hacker listed in the breach, VikingVPN, did not immediately respond to a request for comment.
Editor's Note: This story has been updated with more information about how the hacker may have also gained root access to the affected NordVPN server.