NordVPN was guilty of a marketing faux-pas over the weekend. But unbeknownst to them, their social media bravado appeared to have led to the revelation of a pretty significant security breach.
The significance of this breach has since been played down by NordVPN in an official statement.
NordVPN’s marketing mistake
The faux-pas came in the form of a tweet sent out late in the day on Friday, no doubt intended to catch the eye of commuters on the way home from a long week at work.
It read “Ain’t no hacker can steal your online life. (If you use a VPN). Stay safe.” This was followed by a link to the signup page on the NordVPN website.
The claim was a gross overstatement, to say the least.
VPNs offer users an encrypted connection and online privacy but there are not, on their own, a panacea to all online security risks. They should be used as part of a suite of online security tools along with anti-virus software, anti-malware software, a firewall and so on.
There was a rapid backlash against the tweet and, to their credit, NordVPN was quick to take it down.
As they noted in their subsequent apology, “the text lacked editorial oversight.” Too right it did.
In normal circumstances, such a marketing blunder would be chalked up to experience and you would expect NordVPN to be much more careful in what they tweeted moving forward.
But, unfortunately for NordVPN, their tweet triggered a very specific response from one security researcher in particular.
Was NordVPN compromised?
A twitter account called undefined which uses the handle @hexdefined chose the following day to kick off a real firestorm for NordVPN. The account is credited to an anonymous hacker who claims to be based in Wellington, New Zealand, but in reality, could be based anywhere.
The account tweeted on Saturday that “apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys.”
The tweet was accompanied by a series of images which appear to suggest that the TLS certificate for the NordVPN website had indeed expired. One image showed a screen under the NordVPN URL which said, “This is not NordVPN” and appeared to suggest another actor was impersonating the site.
@hexdefined suggested in subsequent tweets that this was what a ‘Man in the Middle’ attack would look like.
This type of cyberattack is when a hacker is able to position themselves between the online communications of two parties and intercept or even divert traffic and data passing between the two.
He then went on to claim that NordVPN’s OpenVPN keys had also been leaked and provided as evidence a link to another anonymous hacker’s account on Twitter, @keksec, which in turn provided a link to what did indeed appear to be the keys.
If this is the case, it potentially means that hackers would have been able to decrypt traffic which was passing, supposedly securely, through NordVPN’s network.
A rival VPN service, @cryptostorm_is, concurred and also added that it appeared NordVPN had not been practising PKI Management. “The attackers clearly had root access, so they could have just sniffed traffic directly, or injected malicious things into the plaintext traffic,” he added.
What this means for NordVPN users
If this information is correct, it is a massive blow to NordVPN’s credibility.
It would mean that their VPN had been successfully compromised, without their knowledge, and the privacy and security of all of their users potentially effected. For a VPN, this is a massive problem and puts their blundering marketing department into sharp context.
But NordVPN have been quick to play down the concerns of users. After looking into the data files highlighted, they have posted an official statement on their website explaining what happened.
In the statement, NordVPN are adamant that no user data or login credentials were compromised at any time.
According to NordVPN, the issue arose from a breach at one data centre where NordVPN was renting servers in Finland.
They claim this breach occurred owing to a vulnerability that they were not aware of. The expired TLS certificate was apparently taken at the same time as this Finnish breach.
NordVPN insists that “the key couldn’t possibly have been used to decrypt the VPN traffic of any other server” which means that only data passing thorough this one Finnish server could have been affected by this breach.
How has NordVPN rectified the situation
So, what steps has NordVPN taken to address the breach.
Firstly, as soon as they learned about the breach, NordVPN terminated their agreement with the data centre involved and “shredded” the servers they were renting from them. They also audited their entire server network to ensure that no other server could have been exploited in a similar way.
NordVPN also accelerated the encryption of all their servers and also pushed forward their process to move all of their servers to RAM.
While their response to the breach appears robust and they have sought to allay the concerns of users, NordVPN have not sought to downplay down the severity of the issue.
“We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers,” they admit in their statement. “We will give our all to maximize the security of every aspect of our service, and next year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else.”
There is no denying that this is a major security breach and a major embarrassment for NordVPN.
While the fault may not have lay with them directly, they have a responsibility to the security and privacy of their users and, in this instance, they have let users down.
If there is an upside to the whole affair, it is that this does appear to be a genuine error of judgement by NordVPN rather than anything more malicious. It does also appear to have only affected those few users unlucky enough to have connected to this one Finnish server.
A selection of vocal users on Twitter are not letting one of the world’s leading VPN providers off the hook so easily though.
But we will be keeping a close eye on their security and privacy arrangements from now on and it goes to prove that no VPN service is infallible.