Up to 2,000 users of virtual private network NordVPN were the likely targets of credential-stuffing attacks that granted unauthorized access to their accounts, according to a Friday report. Last week, NordVPN said it was the in 2018.
Users' credentials, which contained email addresses, plain-text passwords and expiration dates associated with user accounts, were posted on online forums like Pastebin, according to Ars Technica. The publication polled a small sample of users from a list of 753 credentials and found that passwords for all but one were still being used. Several people reportedly said their accounts were accessed by unauthorized people.
It appears the passwords became public through something called credential stuffing, an attack that uses credentials from one leak to access other accounts with the same username and password, according to the report.
"The credentials that were used to get access to NordVPN accounts were stolen from previous leaks and breaches and hacks that have nothing to do with NordVPN," a company representative said. "It could be data that was breached this year from such companies like Canva, Evite, 500px, or even it can be a result of some older breaches like LinkedIn, Dropbox, or MyHeritage."
This incident isn't indicative of a breach on the network's servers, Ars Technica notes. It stems in part from people choosing simple passwords and using them across more than one site. The NordVPN representative said the company is urging customers to change their passwords.
Users of NordVPN can check Have I Been Pwned to see if their email address is listed, and if it is, should immediately change their password, Ars Technica notes.
First published Nov. 1.
Update, Nov. 4: Adds comment from NordVPN and reworks first paragraph for clarity.