In 2019, NordVPN admitted that there had been an attack on one of its servers, which led to a breach of customer data. The company said that the Finland-based server didn’t include usernames, passwords, or activity logs. The attacker, however, will have seen what websites users had visited, although the websites’ content was encrypted.
NordVPN has enjoyed some increased visibility in recent years, thanks to more emphasis on advertising. Their ads have often been seen or heard on YouTube and podcasts. While the product is designed to maintain online privacy, however, the breach has broken that promise for some.
The attack wasn’t made via a NordVPN-managed account, but rather a compromise data centre account. This account was later deleted to ensure any further access to the server was blocked. NordVPN insists that it wasn’t informed of the breach until over 12 months after it occurred. It took down the server the very same day before conducting an audit of all of its 5,000 servers.
While the company didn’t make the public aware of the issue until six months later, it said that the audit wasn’t a quick process, and so didn’t want to make it public until they could be certain that no more attacks had taken place. While there are some great VPNs available to download, Nord VPN is one of the biggest, so its users have every right to be upset that they weren’t informed of the breach earlier.
The dates given suggest that the window of exposure was around two weeks. NordVPN was originally reported as suggesting the attack had affected 50-200 users. However, when asked, the company said that the exact time of the event remains unknown, as does the number of people who were connected to the server, as they don’t keep logs. But they did offer a rough estimate of around 20-70 active sessions.
That doesn’t narrow down as much as it sounds, as mentioned above, that suggests a wide range of possibly fewer than 20 users and over 200. That’s possibly over 200 users who were affected and at risk of their unencrypted traffic being monitored. While no evidence exists of this occurring, it can’t be considered to be out of the question.
It seems that the immediate effect of the attack wasn’t that great. However, that shouldn’t let NordVPN off the hook. It admitted that the attack shouldn’t have happed in the first place. With NordVPN being a popular choice for those looking for a VPN for computer privacy, it wasn’t a good look for the company.
NordVPN offered the public an update through its official website on November 13, 2020. The update said that the VPN isn’t hacked, that no evidence exists of any user data being hacked during the incident, and that their service is completely secure. It went on to repeat a number of key points:
- A year since the attack, no additional discoveries had been made to suggest that any user data had been affected.
- The issue was immediately resolved once the attack had been discovered, and it remains resolved. The company has updated its processes to further ensure this type of attack cannot be repeated.
- Since the attack, steps have been taken to further improve security. The company stated plans to move to colocated servers, they launched a bug bounty programme, and they said that other projects were in the pipeline.