NordVPN admits to security breach and poor PKI management
NordVPN has admitted that it was breached and, despite the VPN service's "no logs" policy, the attacker might have been in a position to access select user data.
According to a report from TechCrunch, one of NordVPN's Finnish data centers was accessed in March of 2018 with no authorization by taking advantage of an insecure remote management system on the onus of the data center provider. NordVPN would not disclose the provider's name, though stated that the expired private key obtained could not be used to decrypt VPN traffic on any of the other servers that NordVPN utilized.
An security researcher that consulted with TechCrunch under the condition of anonymity described the breach as "troubling," with the potential that there was a "full remote compromise" of the data center provider's services. Despite the assurances that NordVPN has given to TechCrunch that none of its other servers were affected, the anonymous security researcher states that the access that the attacker had across the system in the period that they had remotely breached the impacted data center could still pose a data security risk.
In a detailed response, NordVPN states that only 1 of its 3,000 servers was breached, no user credentials were accessed, no other server on the company's network was impacted, and that the server no longer exists and the server provider no longer has a working relationship with the VPN service. Despite this, NordVPN states that its response is "not trying to undermine the severity of the issue," with the following 4 steps being taken to enhance the security of its service:
- An application security audit has been performed.
- A second "no logs" audit is actively underway.
- A bug bounty program is being prepared.
- In 2020, NordVPN plans to launch a fully independent and external audit of its whole infrastructure "to make sure we did not miss anything else"
In addition to those steps, NordVPN directly responded to the article by naming TechCrunch and responding with a trio of tweets that summarize their more formal response.