Virtual private network (VPN) provider NordVPN has confirmed that one of its servers was breached back in March 2018, and that it had known of the attack since 'a few months ago' - but had not passed that information on top its customers.
Virtual private network (VPN) services are becoming increasingly popular thanks to everything from security concerns over using public Wi-Fi hotspots to geo-blocking of consumers which prevents them accessing selected content based purely on the country in which they live. Using them, though, relies on being able to trust the VPN provider - and trust in NordVPN has taken a hit following its forced disclosure of a data breach in March 2018.
A security researcher posted a Twitter thread which revealed that private data from NordVPN were publicly accessible, including a copy of a since-expired private key which could have been used between the breach and expiry to decrypt private communications or perform man-in-the-middle attacks and which could still be used today to decrypt previously-captured historical traffic - but only, the company claims, on the one specifically-breached server.
NordVPN confirmed the breach in a blog post, while admitting that it knew of the March 2018 breach that resulted in the key being leaked as of 'a few months ago.' Queried in the comments as to why it had not seen fit to inform its customers then, NordVPN's Jordan Page claimed that 'there were no indication [sic] of user data being compromised on that single affected VPN server' - until, of course, there were.
'Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers,' admits NordVPN's Daniel Markuson. 'We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximise the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else.'
NordVPN has indicated that refunds will be available for anyone who wishes to cancel their service in the wake of the breach.
March 25 2020 | 14:00