“Hack-Proof” NordVPN Confirms Attack

When the news broke on Monday 21st October that self-proclaimed “hack-proof” VPN service NordVPN was the victim of a hack in March 2018, we were surprised – but not shocked.

Hacks, leaks and security breaches can happen to any company – even privacy giants who claim to have complete cybersecurity at the heart of their product. No organisation should ever claim to be 100% “hack-proof”.

The point of a virtual private network (VPN) is to make your data private by sending your surfing traffic to different servers in different countries – essentially masking what websites you’re browsing. VPNs are used by millions of people as an easy way to maintain some level of privacy online.

NordVPN prides itself on data privacy and complete protection, claiming to shield their customer internet activity with Double VPNs, military-grade encryption and CyberSec (some of the most seriously cutting-edge security technologies around). NordVPN is one of the most popular VPN providers in the world with over 5500 servers in 59 countries.

Customers around the world were right to be concerned when they found out that their private data may have been accessed by hackers, especially when NordVPN claims to have a “zero log” policy, which means they don’t track, collect or share any user data.

NordVPN admitted a server in a data centre in Finland had been accessed by an attacker last year, by exploiting a vulnerability of one of the remote server providers.

An expired internal private key had been exposed, which means hackers could have intercepted traffic and viewed the websites users were visiting. A hacker could have also potentially performed dangerous man-in-the-middle attacks on users by pretending to be a NordVPN server. This means if users were typing in private information – like credit card numbers or addresses – on other websites while using NordVPN their details could have been stolen.

More worryingly, the management interface used by the server gives hackers free reign over the system – commonly referred to as “God mode”.

NordVPN has claimed no user credentials were intercepted and that no other server on the network was affected. NordVPN didn’t name the server in the statement on their website, but said that it had ended the contract it had and shredded all of the servers they had rented from the provider.

The server was vulnerable between January 31st and March 20th 2018, but NordVPN has said it was breached on only one occasion during March.

We haven’t heard how long the attacker had access to the server for, whether it was hours, days or even months. It’s also not clear how many users were affected and how much traffic was intercepted.

Even though the server doesn’t exist anymore, and NordVPN claims no user credentials were intercepted, this attack is a serious reminder of how vulnerable a company can be.

Companies should be aware of any potential issues or weak spots in every aspect of their IT security and should be more vigilant if using external server providers so that they can be aware of any possible vulnerabilities a provider might bring. The bottom line is, no company can ever claim to be 100% “hack-proof”.


Get in touch with us on 0131 510 0110 or [email protected] to chat about our IT support services.