NordVPN has been hacked. Attackers managed to penetrate a Finnish server belonging to the company and could theoretically carry out a man-in-the-middle attack. The leak has now been fixed, the company said.
Rumors had been circulating for some time on Monday about a possible hack after private keys of connections were leaked. NordVPN now confirms the break-in to Techcrunch. “One of the data centers in Finland where we rent our servers has been unauthorized access,” a company spokesperson told the site. It has now also reported itself. The company says it is conducting further forensic investigations into the incident.
The attackers managed to get into the server by exploiting a vulnerability in a remote management system. That weakness would still be in the system due to the data center. NordVPN says it was not aware of this itself. The company would not say which data center it was. By penetrating the server, an attacker could theoretically mount a man-in-the-middle attack. NordVPN does not say whether that happened. The tls private key, which has since expired, could not be used to decrypt traffic to other servers, according to NordVPN.
The attackers broke into the server in March 2018. The server itself had been active since January 31 of that year. On March 20, the vulnerability would have been patched by the server provider, making exploitation no longer possible. The company noticed the leak “a few months ago” but is only now coming out because it “wanted to be 100 percent sure” that all other infrastructure was secure.
According to NordVPN, there is little danger for users. The company says that there were no logs on the server, and that the company does not do any logging at all. Also, no passwords or usernames were allegedly stolen. These are not sent for authentication when a connection is made, the company says.