NordVPN servers were hacked; users’ traffic was exposed by the attackers

Virtual private network services (VPN) company NordVPN has revealed a hacking incident that occurred last year. According to web application security experts, in March 2018 a threat actor broke into one of the company’s servers, located in Finland, exposing some data on the browsing habits of its customers.

NordVPN states that the server did not contain activity logs, usernames, or passwords. However, the hacker was able to access a list of sites visited during the intrusion, although the content of those websites is protected with encryption.

VPN services have become very popular over the past two years, although many Internet users still don’t know exactly what they consist of. Web application security experts mention that a VPN service works by sending users’ Internet traffic through servers in multiple cities or countries to mask browsing habits, strengthening online privacy.

Tom Okman, NordVPN’s technology advisor, said: “The person responsible for the attack could have infiltrated the specified server, intercepting only the traffic and the name of the websites visited for a short period of time.”  

NordVPN also mentioned that the server to which each user is connected changes approximately every five minutes, although users can choose which country to establish the connection. In other words, users might have been exposed, but for very short periods of time and intermittently. It is estimated that the majority of exposed users are located in Finland, where the server is located.

Some web application security experts began spreading the word on this incident over the past weekend. In addition, the message posted by NordVPN mentions that the intrusion could have lasted months and is likely to have been performed due to an unsecured remote access system being installed on the compromised server.

It is estimated that the server remained compromised from January 31 to March 20, 2018, although the hacker would have only violated the security of the deployment on one occasion during the month of March.

Regarding possible attacks, the company states that information stored on the compromised server cannot be used to decrypt traffic from other servers under its control. Although NordVPN mentions that it was possible to use a stolen encryption key to deploy a Man-in-The-Middle (MiTM) attack, the complexity of this attack minimizes the chances of execution, plus possibly compromised encryption keys have been already revoked. 

As an additional security measure, NordVPN terminated its working relationship with the company in charge of the compromised server.

Web application security experts from the International Institute of Cyber Security (IICS) mention that the company is informing customers about the incident via email, albeit only as a formality, as the company insists that this is not can be considered a hacking incident: “This is more of an isolated security breach. No user’s information has been compromised,” Okman concludes.