NordVPN, one of the most popular VPN services, confirmed today that it experienced a data breach in 2018, which it only learned about itself a few months ago. The data breach's primary target was apparently NordVPN's hosting provider, with NordVPN customers being caught in the crosshairs.
NordVPN released a statement today confirming the data breach and also stating that its network is now secure against the leaked TLS keys.
According to NordVPN, one of its hosting providers had been using a remote management system without NordVPN's knowledge. Malicious parties were able to exploit this system and gain access to the hosting providers’ customer data, including encryption keys used by NordVPN’s servers.
NordVPN said its unnamed hosting provider launched the remote management system on January 31, 2018 and closed it by March 20, 2018, when the hosting provider discovered its tool had been compromised. However, NordVPN claimed that it wasn’t notified about the security issue at the time.
After learning about this incident only a few months ago, NordVPN fixed the issue and then double-checked that its network was no longer vulnerable to abuse of the leaked data. NordVPN also said that since then it has increased the security requirements it requests of its hosting providers.
NordVPN has also started the process of moving its server operations completely to RAM. This would keep users’ logs from being stored on a hosting providers’ disks. If the company would choose hosting providers that take advantage of AMD Epyc’s Secure Encrypted Virtualization or Intel’s yet-to-be-released Multi-Key Total Memory Encryption, it could also further protect users’ data being used in RAM.
The VPN company took partial blame for the breach for choosing an "unreliable" hosting provider and not doing more to ensure customer security. However, it also noted that only one out of its 3,000 servers should have been affected by this data breach.
NordVPN said it is working on a second no-logs audit of its infrastructure and preparing a bug bounty program. It also committed to launching an external third-party audit of its service next year.
NordVPN’s Compromised TLS Keys
Twitter user @hexdefined first revealed on Twitter yesterday that NordVPN’s expired TLS keys had been compromised. This would have potentially allowed malicious parties to run execute man-in-the-middle attacks against its customers using VPN servers that looked like they belonged to NordVPN.
NordVPN claims a “no-log” policy, meaning that the company doesn’t track, collect or share private data. However, this wouldn’t have had any impact on the customers who got lured into using the fake servers, as those malicious servers would be able to collect the users’ data at will.
The source for the initial rumor about the data breach was an anonymous 8chan user who linked to a Ghostbin page that seemingly contained encryption keys of NordVPN servers. Hexdefined was able to confirm that the keys worked to create a local NordVPN lookalike server.
TorGuard, a competing service that also seems to have had some its Certificate Authority (CA) keys leaked in the past few years, took the opportunity to point out that its customers’ data couldn’t have been impacted because it uses a secure public key infrastructure management. This means that its encryption keys are never stored on the VPN servers themselves, and, therefore, no one can decrypt its users’ VPN connections.