"NordVPN gives you peace of mind each time you use public Wi-Fi, access personal and work accounts on the road, or want to keep your browsing history to yourself." That's just a small sample of the many advantages touted on the homepage of NordVPN, one of the best-known commercial providers of virtual private networking services, or VPNs. VPNs have grown popular in recent years as we seek out ways to shield our digital privacy from the likes of ISPs, advertisers and governments. But "peace of mind" is the opposite of what Nord customers got last week, when the company was forced to acknowledge that a security breach through a third-party server affected its service back in 2018.
Yes, one of NordVPN's 5,100 servers got "hacked" according to TechCrunch, though the company vehemently denies that characterization. But to be clear, Nord wasn't "Equifax hacked" -- it faced a security breach more akin to someone rummaging through an unlocked car than to a thief committing full-scale grand theft auto. But for a company that advertises itself as a bulwark of personal security and privacy, any break-in is a serious matter -- doubly so for a field as competitive as consumer VPNs.
Just like nearly every large virtual private network (VPN) company, Nord rents server space from third-party data centers around the world. An unknown attacker got root access to a single Nord server in Finland because that data center left its own server management system insecure. The attacker got ahold of some security certificates that, when combined with a bit of chicanery, hypothetically could have been used to create a fake Nord server until they expired.
In its public statement, Nord said the breach happened in March 2018, but that Nord only found out about it "a few months ago." The company's reaction to the news at the time was to immediately terminate its contract with the data center, and silently set about auditing every single one of its 5,000 servers for any similar risks.
Tom Okman, of Nord's tech advisory board, told CNET that the process is still ongoing.
"We had to contact all of our hundreds and hundreds of data centers all around the world to make sure there was no unverified account on any other server," Okman said.
In the meantime, though, Nord continued advertising itself as a bulwark of online safety and security. It didn't disclose the incident to users or the public until a security researcher on Twitter forced its hand by alleging Nord was "compromised at some point." Nord's blog post followed shortly after.
That timing didn't inspire confidence among the security press and privacy-minded people.
"Hacks happen, nobody's holding NordVPN at fault for that, but what people don't seem to understand is that with VPN services, you're buying trust, which comes in the form of a service. If that trust gets violated, then there's no point in using the service," one commenter wrote.
All told, the attacker was unable to view much of anything about the 50 to 200 users intermittently routing through that server, usually for just five minutes at a time. No passwords, usernames, credentials or NordVPN account information are sent to that section of infrastructure, the company said.
Three encryption keys were leaked, but they were the kind that are useless after an hour. And even after peeling back a single layer of VPN encryption, users' internet traffic is still protected by other layers of encryption, meaning the attacker would only have been able to see what an internet service provider might see for most users -- what domain you're visiting, and how much time spent on site, and so forth.
The good news is that there wasn't much else for the attacker to see, because Nord doesn't keep user activity logs. That's the new table-stakes feature of the biggest VPNs, as it's one of the most notable privacy guarantees on the market. Last year, Nord became the first major VPN to have its no-logging policy independently audited.
Is it a deal breaker?
I asked Engin Kirda, a professor at Northwestern University's Khoury College of Computer Science, whether this server breach should be a deal breaker for people when it comes to using NordVPN.
"Server breaches, unfortunately, happen -- even if you are very well-prepared, thinking that it will never happen to you is not realistic these days," Kirda said. "Even if you do everything correctly, you often still rely on third-party services and third-party software, and there might be unknown vulnerabilities there that you are not aware of. Absolute security is often not possible."
What a good company should do, he said, is strive to discover any breach that may occur as fast as possible.
"In this case, it seems that the third-party that was breached failed to inform Nord, and that probably put some customers at risk (if customer information was lost)," Kirda said. "Nord seems to be taking this seriously and making sure that their third-party reliance is not going to result in something similar in the future. At this stage, this is probably the best they can do."
Nord caught a lot of flack online for not immediately owning up to the breach when it learned about it. Compare that to, say, LastPass, the password manager provider that self-disclosed an issue after it was notified of -- and fixed -- a vulnerability in September.
But there's a good reason a VPN would want to conduct this kind of audit without the world knowing about it. If you're a malicious hacker and you find out someone got into an industry-leading VPN's server a certain way, the first thing you'd try to do is replicate the attack.
According to Scott Watnik, a partner at Wilk Auslander LLP and chairman of the firm's cybersecurity practice, the overwhelming majority of cyber laws in the US don't consider mere unauthorized access to be a "cyber breach" unless personally-identifying user information is stolen.
"If no personal info is acquired or exfiltrated from the network, there really wouldn't be a requirement for disclosure of the incident," Watnik said. "If the anonymity of Nord users was maintained at all times, your security was breached but the privacy was not. From that perspective, if privacy really was protected … there was not a cyber breach."
Nord's Okman said he would have preferred the breach not be disclosed until the audit was done, of course, but once the cat was out of the bag Nord needed to respond to user concerns. Nord is raising its standards for the data centers it contracts with, Okman said. He also agreed that better practices could have been applied.
"We are now doing an internal audit, so we're going to have bigger requirements for them, just to verify that this will not happen in the future," Okman said.
Nord is also making a number of server security improvements, including using only physical hardware servers.
"We are now building only encrypted servers, immune to such breaches. We are also developing a process to move all of our network to RAM disks," a Nord spokesperson said. "We had thoroughly checked the affected server to see if there were any additional software installed or configuration changes made. There were no signs that could possibly indicate that anyone meddled with it."
The trust question
Beyond its currently ongoing audit, Nord said next year it will "launch an independent external audit all of our infrastructure to make sure we did not miss anything else." And the company is also setting up a bug bounty program to further entice the community at large to help it snuff out potential security issues before they can be exploited.
So, where does that leave VPN users looking for the safest vendor to secure their browsing? Based on everything we've learned about the event, existing Nord users' account information appears to be safe. And any potential exposed browsing data would've been limited to a small number of users on a single server for a very short duration of time.
Still, Nord is offering refunds to any of its users who are dissatisfied with how the company handled the disclosure of the breach and its aftermath.
"Regardless, we'll issue refunds for anyone concerned with this matter. Please contact our Customer Support team to request a refund at firstname.lastname@example.org," said Nord blog moderator Jordan Page. Whether or not that refund offer is available indefinitely is unclear.
As for potential new customers? Well, the VPN market is competitive, sothat will take your money. But consider that the same sort of attack that Nord suffered appears to have been employed against TorGuard and Viking VPN, too: You're never going to have 100% certainty on the security question.
That's why the decision whether to trust a VPN company has less to do with whether one of its servers got hacked and more to do with whether the company has reasonable security measures, and whether it was transparent and accountable afterward.