UPDATE 14:00 11/04/2019

NordVPN has issued the following statement regarding user credentials appearing online.

“Credential stuffing is a cyberattack in which credentials obtained from a data breach on one service are used to attempt to log in to another, unrelated service. The listed credentials have been acquired from previous leaks and breaches that had nothing to do with NordVPN. It is important to understand that these lists don’t signal a breach on any of NordVPN servers.

Our security team is proactively scanning such credential lists on both public sites and the dark web, and we are urging our clients to change their passwords. Over the past year, we notified approximately 50,000 customers to change their passwords; however, the password change rate is only around 50%. The database we use to check these credentials is ever-growing and consists of more than 30 billion entries.

2,000 accounts having been matched is an issue, but we have 12M customers in total. We have always been working on preventive means, like rate-limiting, smart detection systems, and, in the future, two-factor authentication (2FA). Additionally, we always advise our clients through our social media channels, blog, and customer newsletters that they must keep their passwords unique and strong.”

The original story continues below.


Virtual private network (VPN) provider NordVPN recently disclosed a breach which affected one of its servers.

The attack took place in 2018 but NordVPN said it only became aware of the breach recently.

But now it seems that NordVPN users may have been compromised again, this time with user credentials being posted online.

A report by Ars Technica reveals that as many as 2 000 users have had their email addresses, plain-text passwords and NordVPN expiration dates leaked online. Lists containing credentials were sent to both the publication as well as Have I Been Pwned.

While it may seem as if the recent breach disclosure and this leak of data are related, there’s no way of telling for sure right now. Indeed, Ars Technica reports that many of the passwords are simple with some being simple words and others being a surname with a few numbers added to the end for good measure.

It’s likely then that whoever created these lists of user data was using credentials gleaned from other leaks but we simply do not know for certain.

The practice is commonly referred to as credential stuffing. Credential stuffing sees cybercriminals using data from other data leaks in a bid to compromise other services. Attackers automate logins and test which folks were unwise enough to reuse passwords on other websites.

For those who are still making use of NordVPN we recommend checking if your credentials have been compromised. To do this, head to haveibeenpwned.com and key in your email address. Should your credentials have been compromised, it’s a great idea to change your password.

[Image – CC 0 Pixabay]