NordVPN provides a popular Virtual Private Network (VPN) service

It is used by clients around the world. Unfortunately, they recently disclosed that a server in one of their data centers was breached back in March of 2018.

According to the details released, the server was located in a data center in Finland.

It was compromised due to an insecure remote management system that was left in place by the data center provider. Worse, this was a system that NordVPN never even knew existed. The company said that they learned of the breach some months ago but withheld disclosing the details until they could be sure that their systems were secure.  In the meantime, though, they quietly terminated their contract with the provider in question and shredded the servers that the company had been renting from them.

As the official statement released by the NordVPN

"The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted either."

Researchers also discovered that NordVPN had an expired private key left inadvertently exposed.  This would have allowed anyone who gained access to it to set up a server that imitated NordVPN.

The company addressed this point as well, saying:

"...the key couldn't possibly have been used to decrypt the VPN traffic of any other server.  On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN."

Our perspective

Assurances aside, the fact that it happened at all is troublesome.  In any case, according to the official statements released by the company and informed by their ongoing investigation, it doesn't appear that any sensitive user data was exposed. So if you're a NordVPN user, you can breathe a sigh of relief about that.  Stay tuned for additional updates from the company.

 

As Hill Street Blues' Sgt. Esterhaus always advised: "Hey, let's be careful out there!"

 

Meanwhile, check out this report

This free executive report may give you insights into how to build your business with safe IT environments: 10 Hidden IT Risks That Might Threaten Your Business and 1 Easy Way to Find Them

The author

Thanks for reading this short post. For more tips on thriving with small business technology, check out the other blog posts at DWPia Blogs. I am also available on LinkedIn, Facebook, and Twitter.

Cybersecurity Expert, Small Business Technology Consultant, Managed Services Provider, Managed IT SupportI am Denis Wilson, President and Principal Consultant for DWP Information Architects. I help professionals grow their business by building a foundation of rock-solid information solutions for smaller healthcare, insurance, financial, legal, and nonprofits firms in Ventura County and San Fernando Valley. And have created cost-effective IT solutions, for over 20 years, specializing in cybersecurity and regulatory compliance. I am also a published author and speaker, working extensively with a variety of organizations, as well as providing small business technology education programs through business and professional associations. This just in: I will be speaking regularly at California Lutheran University's Center for Nonprofit Leadership starting in September.

Contact me if you would like me to speak at your association.