If you are an internet addict and aware of your privacy, you may have heard about VPN services and about a great VPN provider called NordVPN. NordVPN is an online security service, which encrypts your network connection and provides private access to the internet. Since they are dealing with millions of customers across the world, there is no surprise that reports about its hack made a splash on the web. However, the question remains whether it was hacked.
What happened to NordVPN? A very simplified picture
Imagine that a burglar broke into a house, went through the drawers, and escaped with some confidential documents. You would be right to say that the security of this house and anyone living in it was compromised.
Now, imagine another situation where the burglar couldn’t break into the house. What he did instead found an unlocked mailbox that contained some spam and took it. Would you say the security of the house was compromised? In a sense, sure — the housemates should’ve picked a mail service that locked the mailboxes. But after the burglary, they did.
This is what really happened about the recently published security breach of NordVPN. One of their datacentre servers in Finland was accessed without authorization. Instead of notifying the NordVPN team about the security breach, they removed all user accounts that the intruder had exploited. However, the attacker was not able to decrypt any usernames, passwords, email address or even the traffic log of users.
The Facts about the Data Breach – Explained by NordVPN Team
The following are the facts that have been collected from the official website of NordVPN related to the data breach.
- The data breach happened in 2018, March. At this point in time, NordVPN had 3000 servers around the world. A server in Finland was breached because the datacenter left a vulnerability that was exploited by an unknown party. NordVPN team was unable to figure out the breach at that time.
- To quote NordVPN’s official response from their blog: “No user credentials were affected.” This means you don’t have to worry about your usernames and passwords.
- The only data item the attackers able to acquire was a TLS key. NordVPN explains that the key could be used to attack a single user on the web under “extraordinary circumstances.” However, it cannot decrypt encrypted traffic in any form.
- NordVPN further explained that: “With the lost TLS key, an attacker can target only a single user and it would also require additional access to the target’s device or network. This kind of attack would be very difficult to perform. Expired or not, this breached TLS key could not have been used to decrypt traffic made by NordVPN in any way. That’s not what it does.”
- The third-party datacenter did not notify NordVPN that the server was breached. However, as soon as NordVPN figure out the about the security breach, they terminated the contract with the datacenter, removed the server, and began an extensive audit of their service.
And here’s some good news we found in this story. This breach once again confirmed that NordVPN collects no user logs — the most important feature for all VPN services.
Conclusion
Of course, NordVPN should have chosen their providers more carefully. However, there is no evidence that any harm was done to its users, the issue was dealt with effectively, and lead to the implementation of more strict security measures. No public reports about account lost or privacy issues were reported on any websites or forums which clubs to this data breach. In order to strengthen the security, they have taken application security audits. NordVPN team is also preparing a bug bounty program just like Google and Facebook do to figure out security loopholes.
The lesson we’ve learned from this story is that a hack is not always a hack.
I agree with the author that the word “hack” regarding this situation doesn’t really convey what happened – no private info was leaked, no traffic was decrypted and etc. I think most websites just went for a clickbait title to get more views. Though t’s nice of NordVPN to take measures to strengthen its security after this incident, even if nothing major happened