NordVPN says one of its servers was violated in March 2018, exposing some of the surfing habits of customers who used the VPN service to keep their data private. NordVPN says that the server in Finland did not contain activity logs, usernames or passwords. But the attacker could have seen which websites users were visiting at that time, a business advisor said, although the content of the websites would probably be hidden due to encryption.
NordVPN has become a lot more popular in the last couple of years because it is busy advertising. You often hear NordVPN ads in the middle of podcasts, or you find a YouTube host pausing to talk about how NordVPN can protect your privacy by masking your surfing behavior. The company has positioned its product, which sends your traffic through servers in other cities or countries to mask your surfing behavior, as an easy way to maintain your privacy online, but the server breach may compromise this promise for potential customers.
"Potential attackers could only have entered that server and could only intercept traffic and see which websites people visit – not the content, only the website – for a limited period, only in that remote region," Tom Okman, a member of the NordVPN technical advisory board, told The edge.
Okman says that NordVPN usually changes the server that every user connects to every five minutes, but that users can choose which country to connect to. That means that users would probably have been affected only for periods of time. The infringement may also have had consequences only for users who connected via Finland, where the infringing server was located.
Details of the infringement started circulating by security investigators during the weekend. In a blog post this morning, NordVPN said it had been aware of the infringement for "a few months," but did not immediately reveal the problem because the company wanted to check the rest of its systems. The error was limited to a single server, says NordVPN. The data center installed a remote access system on the server without telling the VPN provider, and that system was unsafe, allowing an outsider to gain access, according to the blog post.
The server was vulnerable between January 31, 2018 and March 20, 2018, but NordVPN believes it has been violated only once, in March.
NordVPN says that information from the server could not be used to decrypt traffic on another server. It acknowledges that a stolen encryption key, which has now expired, could have been used to perform a man-in-the-middle attack, whereby the hacker disguised himself as a NordVPN server. But NordVPN says that such an attack must be "personalized and complicated" and apply to one person at a time.
No other data centers have been affected, says NordVPN, and it has broken ties with the company that maintained the defective server.
Okman says the company does not believe that information has been copied, but that NordVPN will notify its customers of the infringement by e-mail. "I wouldn't call this a hack," said Okman. "This is an isolated security breach – hack is too powerful a word in this case."