On October 21st NordVPN provided a detailed report about its third-party provider breach, which took place at the beginning of 2018. A hacker breached NordVPN’s server, maintained by an unnamed Finnish company. So what happened, and what does this story tell us about this VPN service?
At the beginning of 2018, a cybercriminal managed to get into one of the servers due to the loopholes in its configuration. The responsibility here lies on the shoulders of the service provider, which, according to NordVPN, “deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake.”
While it sounds threatening, no user data has been affected due to NordVPN maintaining a no-logs policy. It means that the server did not contain any data about the users. NordVPN’s code was also not hacked. It was an isolated attack, which did not spread further due to the immediate actions of the company. Even though hackers acquired an expired TLS key, they could not use it to decrypt NordVPN’s traffic.
Despite all the fuss taking place in the media, this incident itself is not that widespread. It affected just one server out of 3000. After finding this out, NordVPN reacted swiftly by shredding the server and terminating the contract with the provider. Having in mind that this company does not have a tainted security history, it seems like a quickly eliminated one-off incident.
There is also a positive spin to this story. NordVPN initiated an internal audit of its servers, which might improve its security and reliability even more in the future. It is also the reason why the company delayed the official statement for so long.
Moreover, NordVPN does not try to evade responsibility. They officially stated that their “goal is not to undermine the severity and significance of this breach. We should have done more to filter out unreliable server providers”. The company also emphasizes the security of its customers as the highest priority. Such a strong and open stance in complicated circumstances like these might make NordVPN even more respectable in a lot of its users’ eyes.