This guide takes a deep dive into the recent NordVPN hack and examines the facts surrounding the situation, with the latest developments.
Recently media outlets have been publishing a barrage of reports concerning a NordVPN hack occurring on a server in Finland. Rumors and allegations have been spreading fast, with NordVPN being one of the largest VPNs on the market.
While the news may be alarming to some, the tangible impact of this issue for NordVPN users is quite limited.
NordVPN hack: summary of facts
First, to put things in perspective, this hack affected one NordVPN server in Finland out of a network of approximately 5,000 servers. Now let’s examine what exactly happened to this server.
In March 2018, someone posted TLS certificates from NordVPN, TorGuard, and VikingVPN on 8chan. While the 2018 post seems to have fallen under the radar, the issue recently erupted on Twitter, which culminated in an article from TechCrunch alleging NordVPN had been “hacked”.
What could a hacker do with an expired TLS key?
When people hear the word “hack” they assume the worst. But let’s dig deeper.
As NordVPN pointed out in their official response,
The intruder did find and acquire a TLS key that has already expired. With this key, an attack could only be performed on the web against a specific target and would require extraordinary access to the victim’s device or network (like an already-compromised device, a malicious network administrator, or a compromised network). Such an attack would be very difficult to pull off. Expired or not, this TLS key could not have been used to decrypt NordVPN traffic in any way. That’s not what it does.
This was an isolated case, and no other servers or datacenter providers we use have been affected.
This leads us to the next question.
Are NordVPN users compromised?
Based on all available evidence, the answer appears to be no. NordVPN users have not been compromised by an attacker gaining access to one expired TLS key for a single server in Finland.
First, the hacker would not have any access to server logs because NordVPN is a no logs VPN provider that does not store anything on its servers. NordVPN passed a third-party audit by PricewaterhouseCoopers verifying its no-logs policy.
Second, NordVPN utilizes perfect forward secrecy, which generates a unique key for every session using ephemeral Diffie-Hellman keys. This means that even with a TLS key there’s little a hacker could even do, since the keys are used for server authentication and not traffic encryption. As NordVPN pointed out above, the hacker would need direct access to the user’s device or network for an effective attack (extremely unlikely).
Does this hack even affect anyone?
There’s no way to be 100% certain with anything, but the answer appears to be no.
There’s no evidence to suggest traffic or private data from NordVPN users was exploited in this hack. With no data breach, there is no legal obligation for alerting anyone.
How did the hacker get the TLS keys?
The answer to this question does not seem to be clear – at least to me.
NordVPN is blaming the data center in Finland, as they explained in their official response:
The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of. Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service.
Meanwhile, the data center is blaming NordVPN in a piece published in The Register:
“Yes, we can confirm they were our clients,” Viskari continued. “And they had a problem with their security because they did not take care of it themselves.
“All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.
Finally, there may be a third explanation – a disgruntled employee. The founder of VikingVPN, who is no longer associated with VikingVPN, suggested on reddit that,
this sounds more like a disgruntled employee at Nord or the datacenter leaking the keys rather than a “hacker.”
So here we have three different possibilities for how the hacker could have obtained the expired TLS key of the NordVPN server in Finland. Regardless, as we’ve explained above, the impact for NordVPN users is essentially null.
NordVPN provides a summary of events
Before publishing this article, I asked NordVPN for clarification on a few points. One of their representatives provided me with the following summary:
- There are no signs showing that any of our customers were affected or that their data was accessed by the malicious actor.
- The server itself did not contain any user activity logs. None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted.
- Our service as a whole was not hacked; our code was not hacked; the VPN tunnel was not breached. The NordVPN applications are unaffected. It was an individual instance of unauthorized access to 1 of more than 5000 servers we have.
- The hacker managed to access this server because of the mistakes made by the data center owner, of which we were not aware.
- As soon as we found out about the issue, we ceased our relationship with this particular data center and shredded the server.
- It is not possible to decrypt any ongoing or recorded VPN session even if someone obtained private keys from VPN server. Perfect Forward Secrecy (with Diffie-Hellman key exchange algorithm) is in use. Keys from VPN server are used only to authenticate the server and not for encryption.
Timeline of events from NordVPN:
- The affected server was brought online on January 31st, 2018.
- Evidence of the breach appeared in public on March 5th, 2018. *Further evidence suggests that this information only became available soon after the breach actually occurred.
- The potential for unauthorized access to our server was restricted when the data center deleted the undisclosed management account on March 20th, 2018.
- The server was shredded on April 13, 2019 – the moment we suspected a possible breach.
NordVPN’s network security upgrades
To further improve security, NordVPN announced the following plans in their response:
Since the discovery, we have taken all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit of all of our infrastructure.
As noted above, NordVPN is already one of the few VPN providers that have undergone a full third-party audit to verify their no-logs claims. This audit was completed in November 2018 and it appears a second audit is currently underway.
Additionally, NordVPN has told me they will reconfigure their server network to run in RAM-disk mode only. This indeed is a more secure setup over traditional hard drives as nothing can be stored on the server. Perfect Privacy runs their network this way and ExpressVPN has also transitioned to running all servers in RAM-disk, which they call the TrustedServer feature.
Closing thoughts on the NordVPN “hack”
NordVPN is probably the most popular VPN provider on the market. Consequently, it has a big target on its back in a viciously competitive sector. This may explain why this “hack” blew up in the first place with media outlets jumping on the clickbait bandwagon, before researching the scope of the issue and how it even affects NordVPN users.
People appear to be somewhat divided on the issue. Some argue this shouldn’t even be called a “hack” as it involved an expired TLS key on a single server in Finland with no access to user data or traffic. Others are following the tune of TechCrunch and denouncing NordVPN.
Despite the recent outcry and barrage of clickbait headlines, there appears to be little, if any, impact on NordVPN users – even those who were using the Finland server in March 2018. As such, I don’t see any reason to sound the alarm and advocate a mass exodus away from NordVPN. Although the current issue is concerning, it’s not catastrophic by any stretch of the imagination.
Hopefully, NordVPN will use this as an opportunity to realign their priorities with more focus on security and improving their VPN.
Today as most web users trend in trying to keep their data invisibly safe as possible, in which one of the main methods being employed is of the VPN services. Offering their encrypted tunnels to networking in most places on the global scale.
Gives subscribers an ability to choosing in which of the VPN server(s) from a pool offered and to the country’s that you trust most.
When accessing the all eye’s gridiron of Internet in the World’s population where as nation against nation use super high tech and all are gobbling up IP’s and Device ID’s besides fingerprinting everything in carrying out their spy-a-thon activities.
Sounds simple enough, lol, as long as a user has the Right OF Choice being made to a server in a VPN service pool itself offers.
But there comes apparent risks when the choice made – is not of the users elected one but, has been made by the VPN service itself, as in this case of Nord as we’ve seen in the news of late.
It could of been many of the other 100’s of VPN’s as well, than Nord justly listed here, of this breach in a users trust for a service built on the demands in model to user trusts.
Think – Based**Motivated in, as VPN’s grow in numbers because it’s 1/3 to 1/2 less in a cost to their users base – basically, as certain VPN’s have structured in the leasing model.
As most of their business services running end is dependent on leased (servers) being used, as not to be own, maintain, by their own companies for a cost versus profit ratio in benefits.
Proves to me – all the like VPN’s are not much more vested a to privacy business than to their own afforded lifestyles by their windfall profits simply had by subbing out a majority of their VPN businesses inter-structure in purpose to attract users at rock bottom prices.
Or they got an immediate, as well as the continuing healthy returns for their actual invested funds, of which was a great return for the little background in knowledge of the field they had. Answering to their marketing dreams of a residual income for the life of the VPN service they will continue to run.
These are exactly very good case points – as why Every VPN company in this business needs an actual Full Ownership stake in the overall structure of their Own companies operating businesses Infrastructure to guarantee it’s users this level of privacy, further as shown with the dedication of building their own company server assets under their own brand name.
*~Then for users to look at this as one of the most important basic features, and the breaking down in understanding the subscription price that’s asked.
That’s really the only VPN model, in this VPN business today (2020) where a User needs to Focus on and by trusting in their Use with an understanding to what the VPN company actually owns of what’s offered for the customers use.
As the subscriptions price offered might indicate any shortcuts and a weakness in it’s companies foundation to a users privacy benefits.
It’s possibly one of the strongest foundation that you could want or find, giving merits as the devoted points to the investments of the VPN company before hand, to it’s future being lead by it’s past achievements, and the needed related tech experiences and personal history of the owner(s) rooted to the services private mission for it’s customers as the oriented results by an ending goal driven to privatize it’s user data.
As well to note again, it may cause the reflected pricing being high of the ones who do actually run a full VPN service where everything is owned and being internally handled and operated by a said VPN service themselves…
Over any less priced VPN options, who may come up SHORT in users privacy where a contracted leased (all/some) of the servers they do use for their customers subscription price point in the market.
Then for all VPN’s to be openly transparent as a push here is on– https://cdt.org/vpns/
Trust is a critical component to a thriving digital ecosystems. We trust banks to keep financial information secure, we trust search engines to get us the information we want, and map apps to show us the most efficient route.
Ironically, as virtual private networks, or VPNs, are often a tool for users who lack trust in the practices of the other online entities in their e-paths of life.
So if a VPN has a self owned/operated interstructure and was to experience a breach, it’s ability to knowing about this immediately is great as they’d be fully in control over everything the company offers to their customers.
We’d not have the worries to any offences as in the deleted evidence by a leased servers admins, no un-patched vulnerabilities to the servers pool the business offers users, and no need for an outside reliance with a company’s team maintaining any and all of their servers.
To where their own customers couldn’t be assured of a 100% trust of the service as guaranteed in that every last part of the VPN company is self-contained as being owned and operated independently from a need of others or outside services rendered to running the business.
Inspired by the source:
https://www.goldenfrog.com/blog/nordvpn-hack-3-ways-vyprvpn-keeps-your-data-safe
@123
Hi, I’d say none of these are called prime VPN’s of your info and links offered, but thanks for the heads up for everyone’s benefit.
.
I’d personally stick with a time tested, trusted and true to the user VPN service. Having a faith it’s been vetted by the professionals and users community many times over and remain true, honorable, and trust worthy by comparisons to the likes of those you’ve called out.
(A WEB TRAIL – of their businesses pro/con history)
[We seldom get any personal backgrounds (fields of experience) on the owners/developers who have started/running a VPN service.]
.
*** Shady old VPN’s are still doing business because of a users poor understanding, or their going with only in trusting on the advertising hype as it’s presented, or fallen for the fake reviews sites biased to promoting questionable VPN’s for an income to the review site itself, etc… No in depth self research done for whatever reason!
(New VPN’s same suite of hype pitfalls found to just getting NOTICED)
All these folks (type – un-experienced/lost/misguided), seem deserving of whoevers VPN they settle for of what I’ve call the b-tier VPN services.
.
– Just think of the shift in VPN accounts, the bad hype of an incident on privacy/security causes to a VPN service.
Almost seems as it’s of the same competing VPN services caught airing doubt or accusations against each other.
While others in a top ranks or favor remain unscathed or victimized.
Thanks for sharing.
Another problem with NordVPN right now : Their CyberSec feature is crashing most websites or outright blocking them. This has also been confirmed by their customer service. Too many problems with Nord over the last few weeks, including the recent user password leak.
That was not necessarily leak. It was people using hackable passwords, and then somebody hacked their passwords and posted them. Not a “leak” really.
Please make news of these liars…. Can you add this https://restoreprivacy.com ?
Steganos/Okayfreedom VPN Exposed
https://img.techpowerup.org/191103/ste.jpg
Example: https://api.steganos.com/v2/products/okayfreedom/clients/9b8f1d8d-6c56-4f4b-9a64-84ca2d08ac10/status/
https://api.steganos.com/v2/products/okayfreedom/clients//status/
§1 No data storage when using a VPN server
The OkayFreedom service saves neither addresses nor content accessed by the user, the IP address that OkayFreedom assigned to them; nor the user’s own IP address through which they are using OkayFreedom. As a result, it is not possible for Steganos to ascertain the content an OkayFreedom user has accessed. Neither the IP address of the user nor that of the accessed servers are saved.
Code:
https://www.okayfreedom.com/en/privacy
§ 1 No Saving of Data in the Usage of the VPN Server
The Steganos Online Shield-Service saves neither the addresses nor contents that the user calls up, nor the IP addresses that Steganos Online Shield has allocated, nor their own IP address that they use on Steganos Online Shield. It is not possible for Steganos to determine what contents Steganos Online Shield calls up. Neither the IP addresses of the users nor the IP addresses of the called server is saved.
Code:
https://www.steganos.com/en/vpn-privacy
Seed4.me VPN Exposed
seed4.me vpn intercepts encrypted web traffic for ad injection.
https://img.techpowerup.org/191102/seed181.jpg
Example: Install seed4me vpn client and connect any server
go to http://imgsafe.org/ and see
There are new allegations from Ars Technica regarding a new leak of user credentials: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/
TLDR version:
I guess NordVPN could have forced their users to choose stronger passwords, but the VPN account/username doesn’t really mean anything. An attacker could just use your account for free, or perhaps sell it to someone else, but not access your data or decrypt traffic in any way. A VPN password not like an email password, which is actually valuable. It only authenticates and allows you to use the network.
When people hear the word ‘hack’ they assume the worst. When I saw that only expired TLS keys were leaked I was like WHAT? Executing MITM with TLS keys is already hard, but expired ones… like RLY? Seems like TechCrunch wrote an article with an agenda to downplay Nord, not to explain what actually happened lol
Hi Sven, have you seen this revised NordVPN timeline of the hack?
Wondering what your thoughts on it since you covered the TG / Nord lawsuit. Seems like Nord might have lied this whole time and was using the info to blackmail TG while they themselves were the vulnerable party… Does not look good IMO.
https://i.imgur.com/S3Sq5SY.png
Thanks for this. When I saw the Techcrunch article fly through my feed, I came here first and saw nothing (had just happened, not being critical). I was waiting for your response to the incident and figured it would be along when the dust settled and facts presented themselves. Thanks for an even-keel assessment and your due dilligence….as usual.
I read your full article Sven and thank you for taking the time. I’m a Nord user, and all those news on it being hacked worried me a lot, though it was a bit hard to understand what happened. As I understand now it’s more of competitors fighting each other, and Nord users are safe, so thanks for giving me some peace of mind browsing.
“NordVPN has told me they ***WILL*** reconfigure their server network to run in RAM-disk mode only.”
That’s a bit like asking how long a piece of rope is.
Hi Sven, you should do an article on the countries with best and worst jurisdictions for data privacy!
Hello Jax,
Until then you should check out the-
https://restoreprivacy.com/5-eyes-9-eyes-14-eyes
Many facts there, that I’m now IN questions of a global privacy for anyone.
If a jurisdictions to it’s privacy provisions (laws) may have become less importance with the United States Mutual Legal Assistance Treaties and Agreements – with many nations.
–
MLAT treaties – in Departments of Justice, State, and Treasury have aggressively sought to encourage foreign governments to cooperate in joint investigations of narcotics trafficking and money laundering, offering the possibility of sharing in forfeited assets. A parallel goal has been to encourage spending of these assets to improve narcotics-related law enforcement. The long term goal has been to encourage governments to improve asset forfeiture laws and procedures so they will be able to conduct investigations and prosecutions of narcotics trafficking and money laundering that includes asset forfeiture.
–
Though, called out for joint cooperation in narcotics and money laundering related crimes – we all know things can change. Once an agreement/contract is in force it can be forever revised.
One fact in this is like an divorce alimony agreement, if you agree to even a $1. then the doors open for the other party to open discussions/actions to raise the $1. because of your income raised.
Never agreeing to even a $1. shut that door closed for good.
Thank you, appreciate your inputs.
The TechCrunch piece is even worse then you suggested.
They used an ANONYMOUS “senior security researcher” to try to convince everyone how bad this is. Their anonymous “expert” explains how this should be “deeply concerning” for all Nord users. Oh the horror!!!
TechCrunch is owned by Oath INC and it falls under the umbrella of Verizon Media, which itself is an enemy of privacy.
https://www.verizonmedia.com/policies/xw/en/verizonmedia/terms/otos/index.html
Why does anyone take them seriously?
This whole thing reminds me of the nordvpn defamation campaign last year launched by competing vpn services and their employees.
https://vpnpro.com/blog/confusion-in-the-vpn-industry-is-nordvpn-being-defamed/
PIA employee Caleb Chen and CEO started the attack. A Torguard employee named Tom Spark / Kevin Vadala / Corelio Guardez used his youtube channel, reddit and vpnscam website to also spread lies.
So this is just the latest round of vpn companies attacking each other to spred fake news.
Windscribe was also in on the attack with Tom Spark from TorGuard http://archive.is/NBtiP
Yeah it reminds me of how NordVPN gave the ProtonMail reddit rep the personal name of their very own affiliate (Tom spark) because they did not agree with the kid’s youtube videos. And ProtonMail posted it on Reddit. Was there a swiss court order I missed?
It is NOT OK for NordVPN to demand that TorGuard force some kid to take down all his Youtube videos. They blackmailed TorGuard with this hack and would not help them unless they agreed to a “gentleman’s agreement”. This looks like it’s just getting started:
https://torguard.net/blog/when-bug-bounties-border-on-blackmail/
At last, a critical article. I’m a Nord user, and I know your web page has been critical towards this VPN, but it’s better an accurate critique than a positive lie. I carefully read the whole incident, and I understand the rationale for not disclosing this incident instantly, especially if Nord (as they stated) are going through an audit again. Thanks for clarifying that users should not worry and our accounts are not compromised, TechCrunch article formed entirely different view… Just one question, you wrote that NordVPN is “reconfigure their server network to run in RAM-disk mode only” to improve security. Can you explain what exactly this does? Thank you!
This article from ExpressVPN does a good job breaking it down.
Hi Bohemian Rhapsody,
Exactly, as your comment suggests – it’s the perspective people use to break it down of understanding it.
Are they seeing things, (all things) with eye’s wide shut to their logical minds eye view of inspection.
Most doing an immediate assessment as in – “is my glass half full or empty” and motivated off that level of impulse to be alarmed.
All without the proper time in a discovery, a justification, an evaluation of real facts and the path where an alarm would be or not – helpful to everyone…
–
Halloween’s right around the corner as to is the BF – CM deals.
*Motivation ? – This is a big scare for sure without going past any headlines or used self fact-finding skills people have abilities in of their self.
*Ploy ? – to get people shopping for a VPN because of the two (SCARE and Sale) being celebrated nearly a month apart ?
Thanks
Dear Sven,
There is a mistake in your article “According to the provided timeline, NordVPN suspected a possible breach in April 2019” – but it was in March 2018, please correct it 🙂
Source : https://nordvpn.com/blog/official-response-datacenter-breach/
Hello! I’ve heard that NordVPN has noone that could be responsibilized in case something went wrong now or ever. I’m not specialized at the matter, but the problem was related to the missing information about someone legally responsible for the company legal acts. Do you know something about that Sven?
Sven.
–
That was a TRIPLE S(ven).
Sweet, succinct, and substantive.
–
I was nervous as a customer. I read everything here. I see the rational. I understand all sides of it. And I’ve formed my own opinion.
Can you please tell me you will moonlight as a journalist (assuming you already are not). I am sick of the FAKE, bogus, SPIN, and annoying CLICKBAIT as well as maliciousness (conflicts of interest you spoke about with that TechCrunch company . . . )
I need more people like you to be writing the REGULAR news, I’m so tired of FAKE bull crap.
–
Thanks for explaining this in a way a non-technical person can understand too.
—
Thank you!
..
Thank you for this article, a lot of the people are going crazy over this, like they’re spies whose lives are now at risk when in reality they’re probably just bittorrenting the latest movies. Then they switch to PIA or some other 5+ eye country VPN like its somehow better. NordVPN was “hacked” because they are big and everywhere. Nothing perfect or safe from hackers and anything that big will be hacked eventually.
I completely agree with your top 2 concerns though, hopefully they learn and improve from this experience.
Sven,
Have you updated your reviews about Nord? The last time I checked, you left the impression they were awesome and speeds were not an issue and you made no mention “speeds took a hit across the board”.
Yes, variable/slower speeds are noted in the NordVPN review.
Hi Sven,
I found this in comments on Nords Blog.
Regardless, we’ll issue refunds for anyone concerned with this matter. Please contact our Customer Support team to request a refund at support@nordvpn.com
– Via reply to a users comment on their blog announcing their official statement.