In recent years NordVPN has been on a rampant marketing push with everybody from YouTube comedians to gamers touting the privacy features of the tool.
While we’re not disputing how well a VPN works, a recent disclosure is cause for concern.
NordVPN has declared that it recently became aware of a breach in 2018. The firm says a server in a data centre it uses in Finland was accessed without authorisation. The attacker reportedly gained access to the server through remote management software that the data centre provider installed. Strangely, NordVPN says it was not aware that the software was on the server.
The good news is that this was an isolated incident and no usernames or passwords were compromised.
“When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them. We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge amount of servers and the complexity of our infrastructure,” NordVPN wrote in a statement.
Of course, there is bad news and as you might imagine, it’s rather bad.
Speaking to The Verge, member of its advisory board Tom Okman said that an attacker may have been able to view the websites a user was accessing from that Finnish server.
“Potential attackers could have gotten only into that server and only intercept the traffic and seen what websites people are browsing — not the content, only the website — for a limited period of time, only in that isolated region,” Ockman said.
As a result of this incident NordVPN has said it is working to improve its security mechanisms and has undergone an application security audit. The firm will also be creating a bug bounty programme.
“Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue. We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers,” writes NordVPN.
We agree with the firm there, it failed to uphold the security and privacy of its users. Even if an attacker was only able to access a system once last year, that is not good enough.
What dumbfounds us is the fact that NordVPN was unaware of the software its server provider had installed on said server.
Perhaps this will present a teachable moment for NordVPN – if you want to do something right, you need to be a lot more hands-on.