The company says that the incident, going back to March 2018, affected only 1 out of its 3,000 servers.
The bad actors exploited an insecure remote management system left by the unnamed Finland-based datacenter provider – with NordVPN saying that it wasn’t even aware of such a system being in use. The incident goes back to March 2018 and NordVPN said it had learned about it “a few months ago”. The company also gave assurances that the server in question did not contain any user activity logs and no user credentials were intercepted.
Nevertheless, the incident compromised a now-expired TLS key. NordVPN claims that there is no conceivable way the key could be used to decrypt VPN traffic on other servers operated by the company and further attempted to tone down the concerns:
“On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MitM [man-in-the-middle] attack to intercept a single connection that tried to access nordvpn.com,” said the company.
NordVPN also claims that immediately after the incident was discovered they conducted a thorough audit of the whole infrastructure to investigate if there were any other weak points that could be exploited. The contract with the Finnish datacenter was terminated. The reason stated for the late disclosure of the breach is the infrastructure audit which, according to the company, took a longer amount of time due to the sheer number of servers maintained by the service.
NordVPN said it took steps to fix the problem, by speeding up the encryption of their servers and creating a process of moving all their servers to RAM, which is expected to be concluded some time next year. Additional security measures are being put in place. Another audit is being conducted, a bug bounty program is being prepared and data centers will have to meet stricter requirements for cooperation, said the company.