Popular VPN service NordVPN confirms data center breach

Hackers in 2018 accessed a lone server in Finland.

Oscar Gonzalez Former staff reporter
Oscar Gonzalez is a Texas native who covered video games, conspiracy theories, misinformation and cryptocurrency.
Expertise Video Games, Misinformation, Conspiracy Theories, Cryptocurrency, NFTs, Movies, TV, Economy, Stocks
Rae Hodge Former senior editor
Rae Hodge was a senior editor at CNET. She led CNET's coverage of privacy and cybersecurity tools from July 2019 to January 2023. As a data-driven investigative journalist on the software and services team, she reviewed VPNs, password managers, antivirus software, anti-surveillance methods and ethics in tech. Prior to joining CNET in 2019, Rae spent nearly a decade covering politics and protests for the AP, NPR, the BBC and other local and international outlets.
Oscar Gonzalez
Rae Hodge
2 min read

Even virtual private networks can get hacked. 

James Martin/CNET

NordVPN, a popular virtual private network, said Monday it was the victim of a data breach in 2018. The company said that so far the impact from the hack was minor, but it plans on upping its security efforts. 

The VPN company released details on Monday of the March 2018 data breach, reported earlier by TechCrunch. An unauthorized user accessed a lone server in a Finland data center that NordVPN was renting from an unnamed provider, which apparently didn't disclose the hack. NordVPN says no username or passwords were intercepted. 

Techs at the company found an account of the data breach a few months ago, which led to a security audit. The VPN provider said it canceled its contract with the data center and verified that none of its servers could be accessed in a similar fashion. 

"We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program," the company said in a press release Monday. "We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit ... of our infrastructure to make sure we did not miss anything else."

Tom Okman, a member of NordVPN's tech advisory board, told CNET that NordVPN is raising its standards for the data centers it contracts with. Okman said they agree better practices could have been applied.

"We are now doing an internal audit, so we're going to have bigger requirements for them, just to verify that this will not happen in the future," Okman said. 

Okman attributed the lengthy delay in confirming the leak to an intensive review of NordVPN's infrastructure. 

"We had to contact hundreds and hundreds of data centers all around the world, to audit and make sure there was no unverified account on any other server," he said. 

Read more: The best VPN services for 2019

First published Oct. 21.
Update, Oct. 22
: Adds comment from Tom Okman, a member of NordVPN's tech advisory board.