This guide takes a deep dive into the recent NordVPN hack and examines the facts surrounding the situation, with the latest developments.
Recently media outlets have been publishing a barrage of reports concerning a NordVPN hack occurring on a server in Finland. Rumors and allegations have been spreading fast, with NordVPN being one of the largest VPNs on the market.
While the news may be alarming to some, the tangible impact of this issue for NordVPN users is quite limited.
NordVPN hack: summary of facts
First, to put things in perspective, this hack affected one NordVPN server in Finland out of a network of approximately 5,000 servers. Now let’s examine what exactly happened to this server.
In March 2018, someone posted TLS certificates from NordVPN, TorGuard, and VikingVPN on 8chan. While the 2018 post seems to have fallen under the radar, the issue recently erupted on Twitter, which culminated in an article from TechCrunch alleging NordVPN had been “hacked”.
What could a hacker do with an expired TLS key?
When people hear the word “hack” they assume the worst. But let’s dig deeper.
As NordVPN pointed out in their official response,
The intruder did find and acquire a TLS key that has already expired. With this key, an attack could only be performed on the web against a specific target and would require extraordinary access to the victim’s device or network (like an already-compromised device, a malicious network administrator, or a compromised network). Such an attack would be very difficult to pull off. Expired or not, this TLS key could not have been used to decrypt NordVPN traffic in any way. That’s not what it does.
This was an isolated case, and no other servers or datacenter providers we use have been affected.
This leads us to the next question.
Are NordVPN users compromised?
Based on all available evidence, the answer appears to be no. NordVPN users have not been compromised by an attacker gaining access to one expired TLS key for a single server in Finland.
First, the hacker would not have any access to server logs because NordVPN is a no logs VPN provider that does not store anything on its servers. NordVPN passed a third-party audit by PricewaterhouseCoopers verifying its no-logs policy.
Second, NordVPN utilizes perfect forward secrecy, which generates a unique key for every session using ephemeral Diffie-Hellman keys. This means that even with a TLS key there’s little a hacker could even do, since the keys are used for server authentication and not traffic encryption. As NordVPN pointed out above, the hacker would need direct access to the user’s device or network for an effective attack (extremely unlikely).
Does this hack even affect anyone?
There’s no way to be 100% certain with anything, but the answer appears to be no.
There’s no evidence to suggest traffic or private data from NordVPN users was exploited in this hack. With no data breach, there is no legal obligation for alerting anyone.
How did the hacker get the TLS keys?
The answer to this question does not seem to be clear – at least to me.
NordVPN is blaming the data center in Finland, as they explained in their official response:
The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of. Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service.
Meanwhile, the data center is blaming NordVPN in a piece published in The Register:
“Yes, we can confirm they were our clients,” Viskari continued. “And they had a problem with their security because they did not take care of it themselves.
“All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.
Finally, there may be a third explanation – a disgruntled employee. The founder of VikingVPN, who is no longer associated with VikingVPN, suggested on reddit that,
this sounds more like a disgruntled employee at Nord or the datacenter leaking the keys rather than a “hacker.”
So here we have three different possibilities for how the hacker could have obtained the expired TLS key of the NordVPN server in Finland. Regardless, as we’ve explained above, the impact for NordVPN users is essentially null.
NordVPN provides a summary of events
Before publishing this article, I asked NordVPN for clarification on a few points. One of their representatives provided me with the following summary:
- There are no signs showing that any of our customers were affected or that their data was accessed by the malicious actor.
- The server itself did not contain any user activity logs. None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted.
- Our service as a whole was not hacked; our code was not hacked; the VPN tunnel was not breached. The NordVPN applications are unaffected. It was an individual instance of unauthorized access to 1 of more than 5000 servers we have.
- The hacker managed to access this server because of the mistakes made by the data center owner, of which we were not aware.
- As soon as we found out about the issue, we ceased our relationship with this particular data center and shredded the server.
- It is not possible to decrypt any ongoing or recorded VPN session even if someone obtained private keys from VPN server. Perfect Forward Secrecy (with Diffie-Hellman key exchange algorithm) is in use. Keys from VPN server are used only to authenticate the server and not for encryption.
Timeline of events from NordVPN:
- The affected server was brought online on January 31st, 2018.
- Evidence of the breach appeared in public on March 5th, 2018. *Further evidence suggests that this information only became available soon after the breach actually occurred.
- The potential for unauthorized access to our server was restricted when the data center deleted the undisclosed management account on March 20th, 2018.
- The server was shredded on April 13, 2019 – the moment we suspected a possible breach.
NordVPN’s network security upgrades
To further improve security, NordVPN announced the following plans in their response:
Since the discovery, we have taken all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program. We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit of all of our infrastructure.
As noted above, NordVPN is already one of the few VPN providers that have undergone a full third-party audit to verify their no-logs claims. This audit was completed in November 2018 and it appears a second audit is currently underway.
Additionally, NordVPN has told me they will reconfigure their server network to run in RAM-disk mode only. This indeed is a more secure setup over traditional hard drives as nothing can be stored on the server. Perfect Privacy runs their network this way and ExpressVPN has also transitioned to running all servers in RAM-disk, which they call the TrustedServer feature.
Remaining concerns with NordVPN
Unlike many other sites discussing VPNs, NordVPN has never been our top recommendation here at Restore Privacy. While it is an affordable VPN with good features, it has never held the #1 spot on the best VPN list. And despite all the recent uproar, I’m not overly concerned about the TLS key issue with a server in Finland.
Nonetheless, here are three lingering concerns.
1. Faster notification
According to the provided timeline, NordVPN suspected a possible breach in April 2019. Their reasoning for the delayed notification was to ensure the rest of their network was secured against further attacks. Another potential justification for the delay is that nobody’s data was affected by this “hack”.
Nonetheless, waiting months to alert their users was probably not the best idea.
2. Marketing over security
Over the past few years, I’ve watched as NordVPN has dumped untold amounts of money into marketing. NordVPN advertisements have been all over the internet, on television, and now there’s an army of YouTubers promoting the VPN as well.
While the VPN market is indeed competitive, it seems that marketing is now a top priority, which may come at the expense of security. Hopefully, this latest event can help NordVPN realign its priorities with a renewed focus on security and less on marketing and promotion.
3. Performance
Early this past summer, when running tests for the NordVPN review, I noticed that performance has taken a hit. Speeds were generally slower across the board in comparison to previous tests of NordVPN’s server network performance.
I’ve also received similar feedback from a few NordVPN users. Diverting some resources from the marketing budget into server and bandwidth upgrades could help with this problem.
Closing thoughts on the NordVPN “hack”
NordVPN is probably the most popular VPN provider on the market. Consequently, it has a big target on its back in a viciously competitive sector. That may help explain why this issue blew up in the first place with the TechCrunch article and other outlets jumping on the clickbait bandwagon.
TechCrunch is a media outlet owned by Verizon, which also has a VPN service called “Safe Wi-Fi”. In this article you can see TechCrunch promoting Verizon’s VPN service, which is a direct competitor of NordVPN. This may explain why TechCrunch suddenly announced the “NordVPN hack” with such fanfare.
People appear to be somewhat divided on the issue. Some argue this shouldn’t even be called a “hack” as it involved an expired TLS key on a single server in Finland with no access to user data or traffic. Others are following the tune of TechCrunch and denouncing NordVPN.
Despite the recent outcry and barrage of clickbait headlines, there appears to be little, if any, impact on NordVPN users – even those who were using the Finland server in March 2018. As such, I don’t see any reason to sound the alarm and advocate a mass exodus away from NordVPN. Although the current issue is concerning, it’s not catastrophic by any stretch of the imagination.
Hopefully, NordVPN will use this as an opportunity to realign their priorities with more focus on security and improving their VPN.
Another problem with NordVPN right now : Their CyberSec feature is crashing most websites or outright blocking them. This has also been confirmed by their customer service. Too many problems with Nord over the last few weeks, including the recent user password leak.
That was not necessarily leak. It was people using hackable passwords, and then somebody hacked their passwords and posted them. Not a “leak” really.
Please make news of these liars…. Can you add this https://restoreprivacy.com ?
Steganos/Okayfreedom VPN Exposed
https://img.techpowerup.org/191103/ste.jpg
Example: https://api.steganos.com/v2/products/okayfreedom/clients/9b8f1d8d-6c56-4f4b-9a64-84ca2d08ac10/status/
https://api.steganos.com/v2/products/okayfreedom/clients//status/
§1 No data storage when using a VPN server
The OkayFreedom service saves neither addresses nor content accessed by the user, the IP address that OkayFreedom assigned to them; nor the user’s own IP address through which they are using OkayFreedom. As a result, it is not possible for Steganos to ascertain the content an OkayFreedom user has accessed. Neither the IP address of the user nor that of the accessed servers are saved.
Code:
https://www.okayfreedom.com/en/privacy
§ 1 No Saving of Data in the Usage of the VPN Server
The Steganos Online Shield-Service saves neither the addresses nor contents that the user calls up, nor the IP addresses that Steganos Online Shield has allocated, nor their own IP address that they use on Steganos Online Shield. It is not possible for Steganos to determine what contents Steganos Online Shield calls up. Neither the IP addresses of the users nor the IP addresses of the called server is saved.
Code:
https://www.steganos.com/en/vpn-privacy
Seed4.me VPN Exposed
seed4.me vpn intercepts encrypted web traffic for ad injection.
https://img.techpowerup.org/191102/seed181.jpg
Example: Install seed4me vpn client and connect any server
go to http://imgsafe.org/ and see
There are new allegations from Ars Technica regarding a new leak of user credentials: https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/
TLDR version:
I guess NordVPN could have forced their users to choose stronger passwords, but the VPN account/username doesn’t really mean anything. An attacker could just use your account for free, or perhaps sell it to someone else, but not access your data or decrypt traffic in any way. A VPN password not like an email password, which is actually valuable. It only authenticates and allows you to use the network.
When people hear the word ‘hack’ they assume the worst. When I saw that only expired TLS keys were leaked I was like WHAT? Executing MITM with TLS keys is already hard, but expired ones… like RLY? Seems like TechCrunch wrote an article with an agenda to downplay Nord, not to explain what actually happened lol
Hi Sven, have you seen this revised NordVPN timeline of the hack?
Wondering what your thoughts on it since you covered the TG / Nord lawsuit. Seems like Nord might have lied this whole time and was using the info to blackmail TG while they themselves were the vulnerable party… Does not look good IMO.
https://i.imgur.com/S3Sq5SY.png
Thanks for this. When I saw the Techcrunch article fly through my feed, I came here first and saw nothing (had just happened, not being critical). I was waiting for your response to the incident and figured it would be along when the dust settled and facts presented themselves. Thanks for an even-keel assessment and your due dilligence….as usual.
I read your full article Sven and thank you for taking the time. I’m a Nord user, and all those news on it being hacked worried me a lot, though it was a bit hard to understand what happened. As I understand now it’s more of competitors fighting each other, and Nord users are safe, so thanks for giving me some peace of mind browsing.
“NordVPN has told me they ***WILL*** reconfigure their server network to run in RAM-disk mode only.”
That’s a bit like asking how long a piece of rope is.
Hi Sven, you should do an article on the countries with best and worst jurisdictions for data privacy!
Hello Jax,
Until then you should check out the-
https://restoreprivacy.com/5-eyes-9-eyes-14-eyes
Many facts there, that I’m now IN questions of a global privacy for anyone.
If a jurisdictions to it’s privacy provisions (laws) may have become less importance with the United States Mutual Legal Assistance Treaties and Agreements – with many nations.
–
MLAT treaties – in Departments of Justice, State, and Treasury have aggressively sought to encourage foreign governments to cooperate in joint investigations of narcotics trafficking and money laundering, offering the possibility of sharing in forfeited assets. A parallel goal has been to encourage spending of these assets to improve narcotics-related law enforcement. The long term goal has been to encourage governments to improve asset forfeiture laws and procedures so they will be able to conduct investigations and prosecutions of narcotics trafficking and money laundering that includes asset forfeiture.
–
Though, called out for joint cooperation in narcotics and money laundering related crimes – we all know things can change. Once an agreement/contract is in force it can be forever revised.
One fact in this is like an divorce alimony agreement, if you agree to even a $1. then the doors open for the other party to open discussions/actions to raise the $1. because of your income raised.
Never agreeing to even a $1. shut that door closed for good.
Thank you, appreciate your inputs.
The TechCrunch piece is even worse then you suggested.
They used an ANONYMOUS “senior security researcher” to try to convince everyone how bad this is. Their anonymous “expert” explains how this should be “deeply concerning” for all Nord users. Oh the horror!!!
TechCrunch is owned by Oath INC and it falls under the umbrella of Verizon Media, which itself is an enemy of privacy.
https://www.verizonmedia.com/policies/xw/en/verizonmedia/terms/otos/index.html
Why does anyone take them seriously?
This whole thing reminds me of the nordvpn defamation campaign last year launched by competing vpn services and their employees.
https://vpnpro.com/blog/confusion-in-the-vpn-industry-is-nordvpn-being-defamed/
PIA employee Caleb Chen and CEO started the attack. A Torguard employee named Tom Spark / Kevin Vadala / Corelio Guardez used his youtube channel, reddit and vpnscam website to also spread lies.
So this is just the latest round of vpn companies attacking each other to spred fake news.
Windscribe was also in on the attack with Tom Spark from TorGuard http://archive.is/NBtiP
Yeah it reminds me of how NordVPN gave the ProtonMail reddit rep the personal name of their very own affiliate (Tom spark) because they did not agree with the kid’s youtube videos. And ProtonMail posted it on Reddit. Was there a swiss court order I missed?
It is NOT OK for NordVPN to demand that TorGuard force some kid to take down all his Youtube videos. They blackmailed TorGuard with this hack and would not help them unless they agreed to a “gentleman’s agreement”. This looks like it’s just getting started:
https://torguard.net/blog/when-bug-bounties-border-on-blackmail/
At last, a critical article. I’m a Nord user, and I know your web page has been critical towards this VPN, but it’s better an accurate critique than a positive lie. I carefully read the whole incident, and I understand the rationale for not disclosing this incident instantly, especially if Nord (as they stated) are going through an audit again. Thanks for clarifying that users should not worry and our accounts are not compromised, TechCrunch article formed entirely different view… Just one question, you wrote that NordVPN is “reconfigure their server network to run in RAM-disk mode only” to improve security. Can you explain what exactly this does? Thank you!
This article from ExpressVPN does a good job breaking it down.
Hi Bohemian Rhapsody,
Exactly, as your comment suggests – it’s the perspective people use to break it down of understanding it.
Are they seeing things, (all things) with eye’s wide shut to their logical minds eye view of inspection.
Most doing an immediate assessment as in – “is my glass half full or empty” and motivated off that level of impulse to be alarmed.
All without the proper time in a discovery, a justification, an evaluation of real facts and the path where an alarm would be or not – helpful to everyone…
–
Halloween’s right around the corner as to is the BF – CM deals.
*Motivation ? – This is a big scare for sure without going past any headlines or used self fact-finding skills people have abilities in of their self.
*Ploy ? – to get people shopping for a VPN because of the two (SCARE and Sale) being celebrated nearly a month apart ?
Thanks
Dear Sven,
There is a mistake in your article “According to the provided timeline, NordVPN suspected a possible breach in April 2019” – but it was in March 2018, please correct it 🙂
Source : https://nordvpn.com/blog/official-response-datacenter-breach/
Hello! I’ve heard that NordVPN has noone that could be responsibilized in case something went wrong now or ever. I’m not specialized at the matter, but the problem was related to the missing information about someone legally responsible for the company legal acts. Do you know something about that Sven?
Sven.
–
That was a TRIPLE S(ven).
Sweet, succinct, and substantive.
–
I was nervous as a customer. I read everything here. I see the rational. I understand all sides of it. And I’ve formed my own opinion.
Can you please tell me you will moonlight as a journalist (assuming you already are not). I am sick of the FAKE, bogus, SPIN, and annoying CLICKBAIT as well as maliciousness (conflicts of interest you spoke about with that TechCrunch company . . . )
I need more people like you to be writing the REGULAR news, I’m so tired of FAKE bull crap.
–
Thanks for explaining this in a way a non-technical person can understand too.
—
Thank you!
..
Thank you for this article, a lot of the people are going crazy over this, like they’re spies whose lives are now at risk when in reality they’re probably just bittorrenting the latest movies. Then they switch to PIA or some other 5+ eye country VPN like its somehow better. NordVPN was “hacked” because they are big and everywhere. Nothing perfect or safe from hackers and anything that big will be hacked eventually.
I completely agree with your top 2 concerns though, hopefully they learn and improve from this experience.
Sven,
Have you updated your reviews about Nord? The last time I checked, you left the impression they were awesome and speeds were not an issue and you made no mention “speeds took a hit across the board”.
Yes, variable/slower speeds are noted in the NordVPN review.
Hi Sven,
I found this in comments on Nords Blog.
Regardless, we’ll issue refunds for anyone concerned with this matter. Please contact our Customer Support team to request a refund at support@nordvpn.com
– Via reply to a users comment on their blog announcing their official statement.