As the world turns more digital, security should always be top of mind. Unfortunately, some companies spend more money on marketing than they do the security of their systems.

Recently media outlets have been publishing a barrage of reports concerning a NordVPN hack occurring on a server in Finland. Rumors and allegations have been spreading fast, with NordVPN being one of the largest VPNs on the market.

While the news may be alarming to some, the tangible impact of this issue for NordVPN users is quite limited.

First, to put things in perspective, this hack affected one NordVPN server in Finland. NordVPN has approximately 5,000 servers around the world so unless you know 100% you connected to that server, your’re probably fine.

How the hacker got into one of these servers was actually not NordVPNs fault at all. Most VPN companies (and small businesses for that matter) rent space inside large data centres. This keeps the cost down and also allows for quick and immediate growth when needed. The issue with the hack is really that NordVPN decided to not say anything for months.

NordVPN provides a summary of events

Before publishing this article, I asked NordVPN for clarification on a few points. One of their representatives provided me with the following summary:

  • There are no signs showing that any of our customers were affected or that their data was accessed by the malicious actor.
  • The server itself did not contain any user activity logs. None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted.
  • Our service as a whole was not hacked; our code was not hacked; the VPN tunnel was not breached. The NordVPN applications are unaffected. It was an individual instance of unauthorized access to 1 of more than 5000 servers we have.
  • The hacker managed to access this server because of the mistakes made by the data center owner, of which we were not aware.
  • As soon as we found out about the issue, we ceased our relationship with this particular data center and shredded the server.
  • It is not possible to decrypt any ongoing or recorded VPN session even if someone obtained private keys from VPN server. Perfect Forward Secrecy (with Diffie-Hellman key exchange algorithm) is in use. Keys from VPN server are used only to authenticate the server and not for encryption.

Timeline of events from NordVPN:

  1. The affected server was brought online on January 31st, 2018.
  2. Evidence of the breach appeared in public on March 5th, 2018. *Further evidence suggests that this information only became available soon after the breach actually occurred.
  3. The potential for unauthorized access to our server was restricted when the data center deleted the undisclosed management account on March 20th, 2018.
  4. The server was shredded on April 13, 2019 – the moment we suspected a possible breach.

This post is to really serve as a teach point, when you decide to do business with a company, ask them their security practices. Ask them how do they secure data. Is that data encrypted? Is the data encrypted at origin, transit and rest? Do they use 2 factor authentication for their software and tools? These are things any technology company that serves you, the customer, should be able to answer quickly and honestly. Don’t expect them to show you where the keys are but they should be able to tell you that the keys are locked away in a million pieces and no one will ever be able to put them together if they were stolen.