News has been going around the past week making a big fuss over a hack that happened on one of NordVPN’s servers. In the way news cycles tend to do, this only caused a ton of fear, uncertainty and doubt. Were your private browsing sessions all compromised? Was your data compromised? Are you as a NordVPN user at risk? As much as flamboyant headlines would want you to believe this to get traffic to their publications, the fact is none of those things happened and this hack was about as miniscule as they come.
We have an official statement that was sent to us detailing what happened in the breach and I’d like to share it with you below:
“First thing, I want to make it very clear that there are no indications that any of our customers were affected or that their data was intercepted by a malicious actor. The tunnel itself is safe and has never been hacked. Our core databases, our code, and the service itself are also secure and have not been affected. It was single access to 1 of more than 5000 servers we have. The hacker managed to access this server because of the mistakes done by a data center owner.
The facts: what happened
- There are no signs showing that any of our customers were affected or that their data was accessed by the malicious actor.
- While being connected to the server, the hacker could only see what an ordinary ISP would see, but it could not have been personalized or linked to a particular user.
- The intruder managed to gain access to a single server we were renting from a Finnish data center.
- The server itself did not contain any user activity logs. None of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted.
- Our service as a whole was not hacked; our code was not hacked; the VPN tunnel was not breached. The NordVPN applications are unaffected. It was an individual instance of unauthorized access to 1 of more than 5000 servers we have.
- The hacker managed to access this server because of the mistakes made by the data center owner, of which we were not aware.
- As soon as we found out about the issue, we ceased our relationship with this particular data center and shredded the server.
- It was not a targeted attack against NordVPN – as the media has discovered, at least two other VPN services were affected. There’s a chance that other services that rented servers from this data center could have been affected as well.
- The incident effectively showed that the affected server did not contain any user activity logs. To prevent any similar incidents, among other means, we encrypt the hard disk of each new server we build. The security of our customers is the highest priority to us and we will raise the standards even more.”
So, there you have it straight from the horse’s mouth. Yes, there was a small breach and, yes, it shouldn’t happen. But in the grand scheme of things, this issue was small, contained, and for those it did affect, the effect of the hack was almost nil. Sometimes, with stories like these, perhaps it is best we all do a bit of research and investigation before we jump to radical conclusions about general security issues.