NordVPN victim to third-party security failure

Why we must consider suppliers’ approaches to security a "competitive differentiator“.
22 October 2019

The breach took place at a data center in Finland. Source: Shutterstock

NordVPN, regarded as one of the world’s best virtual private network (VPN) services, has confirmed one of its data centers was hacked last year.

The security breach was said to have taken place in March 2018, at one of its data centers in Finland, and is only now being disclosed so the firm could audit its infrastructure and encrypt its 3,000 servers, the firm has said.

VPNs are typically used by businesses to protect sensitive data, while users can add security and privacy to public networks, such as Wifi hotspots. 

Privacy is increased because a VPN service will replace the user’s IP address with one from a gateway city it provides, by routing traffic through an alternative, encrypted route.

A user that’s based in Scotland, for example, could use a VPN to appear as though they’re based in New York, Singapore, or— in the case of one server NordVPN was renting— Finland. 

NordVPN said the breach only affected one server, as a result of the data center installing a remote access system, which it didn’t inform its customer about. That system was insecure, allowing an outsider to gain access. 

The VPN provider has played down the severity of the attack, which would have revealed some of the sites its users were browsing, but not the content. 

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” NordVPN told TechCrunch

“On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”

Speaking to The Verge, NordVPN said that it usually changes the server each user is connected to every five minutes, but that users can pick which country they are connecting through— so users would have been affected only briefly.

The firm also revoked the exposed certificate, so any opportunity for the vulnerability to have further was very reduced. 

HackerOne’s Technical Program Manager, Prash Somaiya, commented on how easy it has become for companies— even those acting in the interest of user privacy— to fall victim to third-party security failings. 

If companies are to use suppliers, they must consider those suppliers’ approaches to security as competitive differentiators “as much as on price,” he said.