NordVPN user accounts compromised and passwords exposed, report says

Users' email addresses and plain-text passwords were posted to online forums, Ars Technica reports.

Abrar Al-Heeti
Abrar Al-Heeti Video producer / CNET
Abrar Al-Heeti is a video host and producer for CNET, with an interest in internet trends, entertainment, pop culture and digital accessibility. Before joining the video team, she was a writer for CNET's culture team. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET breaking down the latest trends on TikTok, Twitter and Instagram, while also reporting on diversity and inclusion initiatives in Hollywood and Silicon Valley. Credentials Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has twice been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
2 min read

NordVPN is urging users to change their passwords. 

James Martin/CNET

Up to 2,000 users of virtual private network NordVPN were the likely targets of credential-stuffing attacks that granted unauthorized access to their accounts, according to a Friday report. Last week, NordVPN said it was the victim of a data breach in 2018.

Users' credentials, which contained email addresses, plain-text passwords and expiration dates associated with user accounts, were posted on online forums like Pastebin, according to Ars Technica. The publication polled a small sample of users from a list of 753 credentials and found that passwords for all but one were still being used. Several people reportedly said their accounts were accessed by unauthorized people. 

It appears the passwords became public through something called credential stuffing, an attack that uses credentials from one leak to access other accounts with the same username and password, according to the report.

"The credentials that were used to get access to NordVPN accounts were stolen from previous leaks and breaches and hacks that have nothing to do with NordVPN," a company representative said. "It could be data that was breached this year from such companies like Canva, Evite, 500px, or even it can be a result of some older breaches like LinkedIn, Dropbox, or MyHeritage."

This incident isn't indicative of a breach on the network's servers, Ars Technica notes. It stems in part from people choosing simple passwords and using them across more than one site. The NordVPN representative said the company is urging customers to change their passwords. 

Users of NordVPN can check Have I Been Pwned to see if their email address is listed, and if it is, should immediately change their password, Ars Technica notes. 

Watch this: What to do if your personal information is part of a data breach

First published Nov. 1.
Update, Nov. 4: Adds comment from NordVPN and reworks first paragraph for clarity.