Yesterday, Monday NordVPN revealed that its server got breached in March 2018, exposing some of the browsing habits of customers who were using the VPN service to keep their data private.
NordVPN is a personal virtual private network service provider. It has desktop applications for Windows, macOS, and Linux, mobile apps for Android and iOS, as well as an application for Android TV.
NordVPN says the server, located in Finland, did not contain activity logs, usernames, or passwords. But the attacker would have been able to see what websites users were visiting during that time, a company advisor said, although the content of the websites likely would have been hidden due to encryption.
Tom Okman, a member of NordVPN’s tech advisory board, said “Potential attackers could have gotten only into that server and only intercept the traffic and seen what websites people are browsing — not the content, only the website — for a limited period of time, only in that isolated region,”
Okman says NordVPN usually changes the server each user is connected to every five minutes or so, but that users get to pick which country they are connecting through.
The flaw was limited to a single server, NordVPN says. The data center installed a remote access system on the server, without telling the VPN provider, and that system was insecure, allowing an outsider to gain access, according to the blog post.
The server was vulnerable between January 31st, 2018 and March 20th, 2018, but NordVPN believes it was only breached once, during March.
NordVPN says information taken from the server couldn’t have been used to decrypt traffic on any other server. It acknowledges that a stolen encryption key, which is now expired, could have been used to perform a man-in-the-middle attack, with the hacker disguising themselves as a NordVPN server. But NordVPN says such an attack would have to be “personalized and complicated” and apply to a single person at a time.
No other data centers were affected, NordVPN says, and it has cut ties with the company that maintained the flawed server.