NordVPN, a popular, said Monday it was the victim of a data breach in 2018. The company said that so far the impact from the hack was minor, but it plans on upping its security efforts.
The VPN company released details on Monday of the March 2018 data breach, reported earlier by TechCrunch. An unauthorized user accessed a lone server in a Finland data center that NordVPN was renting from an unnamed provider, which apparently didn't disclose the hack. NordVPN says no username or passwords were intercepted.
Techs at the company found an account of the data breach a few months ago, which led to a security audit. The VPN provider said it canceled its contract with the data center and verified that none of its servers could be accessed in a similar fashion.
"We are taking all the necessary means to enhance our security. We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program," the company said in a press release Monday. "We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit ... of our infrastructure to make sure we did not miss anything else."
Tom Okman, a member of NordVPN's tech advisory board, told CNET that NordVPN is raising its standards for the data centers it contracts with. Okman said they agree better practices could have been applied.
"We are now doing an internal audit, so we're going to have bigger requirements for them, just to verify that this will not happen in the future," Okman said.
Okman attributed the lengthy delay in confirming the leak to an intensive review of NordVPN's infrastructure.
"We had to contact hundreds and hundreds of data centers all around the world, to audit and make sure there was no unverified account on any other server," he said.
First published Oct. 21.
Update, Oct. 22: Adds comment from Tom Okman, a member of NordVPN's tech advisory board.