VPN Service Provider Announced A Data Breach Incident Which Occurred in 2018
Thursday, October 24, 2019
Consumers in the United States lost both control and privacy protections when the U.S. Federal Communications Commission (FCC), led by President Trump appointee Ajit Pai, a former Verizon lawyer, repealed in 2017 both broadband privacy and net neutrality protections for consumers. Since then, many people have subscribed to Virtual Private Network (VPN) services to regain protections of their sensitive personal information and online activities.
NordVPN, a provider of VPN services, announced on Monday a data breach:
"1) One server was affected in March 2018 in Finland. The rest of our service was not affected. No other servers of any type were put at risk. This was an attack on our server, not our entire service; 2) The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of. Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service; 3) No user credentials were affected; 4) There are no signs that the intruder attempted to monitor user traffic in any way. Even if they had, they would not have had access to those users’ credentials..."
In 2018, NordVPN operated about 3,000 servers. It now operates about 5,000 servers. The NordVPN announcement includes more information including technical details.
Earlier this month, C/Net and PC Magazine published their lists of the best VPN services in 2019. PC Magazine's list, which was published before the breach announcement, included NordVPN. So, it is always wise for consumers to do their research before switching to a VPN service.
What to make of this breach? We don't know who performed the attack. My impression: the attack seemed targeted, since few people probably use the single server in Finland. And, this cyberattack seemed very different from the massive retail attacks where hackers seek to steal the payment information (e.g., credit/debit card numbers) of thousands of consumers.
This cyberattack may have targeted a specific person. Perhaps, the attacker was a competitor or the government agency of a country NordVPN has refused to do business with. (Or, maybe this.) Hopefully, investigative journalists with more resources than this solo blogger will probe deeper.
Several things seem clear: a) cybercriminals have added VPN services to their list of high-value targets, b) hackers have identified the outsourcing vendors used by VPN service providers, and c) cyber attacks like this will probably continue. You might say this breach was a warning shot across the bow of the entire VPN industry. Seems like there is lots more news to come.
This attack on one of NordVPN’s servers in Finland was a very curious affair. It wasn’t a massive data breach. Indeed, it is not only unlikely that it focused on more than one target; it would have been next to practically impossible for the attack to extend beyond one target. And for the attack to work to decrypt that target’s traffic, its device or network would have had to have been compromised. So who does that sort of thing? The usual suspects are law enforcement, an intelligence agency, a technically sophisticated criminal, or perhaps even a disgruntled employee. But this wasn’t an attack to steal large amounts of personal data for profitable criminal purpose, because this attack couldn’t and didn’t do that kind of massive data breach.
So who was affected by this highly specific data breach? And why did the perpetrator do it?
In discussing the NordVPN hack, Restore Privacy gives a technically sound analysis of its nature and severity. Here is Restore Privacy’s discussion:
“What could a hacker do with an expired TLS key?:
“When people hear the word “hack” they assume the worst. But let’s dig deeper.
“As NordVPN pointed out in their official response,
“The intruder did find and acquire a TLS key that has already expired. With this key, an attack could only be performed on the web against a specific target and would require extraordinary access to the victim’s device or network (like an already-compromised device, a malicious network administrator, or a compromised network). Such an attack would be very difficult to pull off. Expired or not, this TLS key could not have been used to decrypt NordVPN traffic in any way. That’s not what it does.
“This was an isolated case, and no other servers or datacenter providers we use have been affected.
“This leads us to the next question.
“Are NordVPN users compromised?
Based on all available evidence, the answer appears to be no. NordVPN users have not been compromised by an attacker gaining access to one expired TLS key for a single server in Finland.
“First, the hacker would not have any access to server logs because NordVPN is a no logs VPN provider that does not store anything on its servers. NordVPN passed a third-party audit by PricewaterhouseCoopers verifying its no-logs policy.
“Second, NordVPN utilizes perfect forward secrecy, which generates a unique key for every session using ephemeral Diffie-Hellman keys. This means that even with a TLS key there’s little a hacker could even do, since the keys are used for server authentication and not traffic encryption. As NordVPN pointed out above, the hacker would need direct access to the user’s device or network for an effective attack (extremely unlikely).
“Does this hack even affect anyone?
There’s no way to be 100% certain with anything, but the answer appears to be no.
“There’s no evidence to suggest traffic or private data from NordVPN users was exploited in this hack.”
NordVPN Hack - Everything That You Need To Know
https://restoreprivacy.com/nordvpn-hack/
So while a breach, it doesn’t seem that anymore than one target could have been compromised. And to compromise that target, the target’s device or network would have to have been compromised, which once again points to an intelligence service, law enforcement, or a very sophisticated criminal making an attack against one target.
NordVPN and other securely encrypted VPN services and secure messaging services have now been educated that they must enhance their counterintelligence technology to protect against sophisticated actors who will attack their infrastructure and personnel or the infrastructure and/or personnel of third-party vendors. Because what those actors can’t decrypt, they will get by other means.
Posted by: Chanson de Roland | Monday, October 28, 2019 at 04:52 PM
Is there any evidence that any user's data was compromised other than TC articles?
Despite the fact that TC is owned by a nord competitor, everything is hackable and u will not find a 100% secure, a VPN just make your device safer and harder for the attackers to hack into it, I read nordvpn statement and it shines some light on the issue.
Posted by: Sonic | Sunday, November 03, 2019 at 12:14 PM