NordVPN confirmed on Monday that an attacker breached a server it rented from a Finland-based data center. The company, which described the event as an attack rather than a more-common hack, says the breach took place in March 2018, but the attacker did not retrieve any customer information.
“The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed,” the company reports. “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”
The server in question came online on January 31, 2018. The unnamed company maintaining the data center allegedly discovered that its vulnerable remote management account remained on the rented server and deleted it on March 28, 2018, without informing NordVPN. The popular VPN provider supposedly didn’t even know this account existed until “a few months ago.”
A virtual private network, or VPN, creates a secure “tunnel” across the internet. These connections were originally intended for employees to remotely connect to company networks. But now VPN services are available to the masses for accessing region-restricted content and remaining anonymous online. Customers essentially connect to a remote server and use its connection to surf the internet, hiding their online address in the process.
Although your internet service provider can’t log your activity while using a VPN, there’s no guarantee VPN service providers themselves aren’t keeping track of your online travels. NordVPN states that it does not keep logs, however, including “connection timestamps, session information, used bandwidth, traffic data, IP addresses, or other data.”
NordVPN says it didn’t disclose the breach immediately due to its lengthy investigation across its entire infrastructure.
“We had to make sure that none of our infrastructure could be prone to similar issues,” the company reports. “This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure.”
The security alert arrives after reports surfaced claiming attackers breached NordVPN and obtained an expired Transport Layer Security key. NordVPN says the attacker retrieved this key during the breach, but it cannot be used to decrypt VPN traffic on other servers. Instead, the attacker could create a fake NordVPN server to redirect traffic and launch a man-in-the-middle-attack on a single connection.
NordVPN says more than 3,000 servers run its VPN service. In this situation, it contracted an “unreliable server provider,” and this was an “isolated case.” The company canceled its contract and “shredded” all servers rented through the unnamed supplier.