What do you do when you find out the company you were entrusting with your privacy was hacked? Panic? There may have been a lot of that going on when NordVPN admitted to a security breach of their server.
The good news is that NordVPN is on top of it, and it has already strengthened security measures. But will they be able to trust NordVPN again?
NordVPN Security Breach
VPN providers are used by many to provide privacy, both from their Internet provider as well as sites that they visit. They want to be sure their Internet browsing is kept private.
Initially, there were rumors that NordVPN had been breached, and then it became known that the company had an expired internal private key exposed. This could allow anyone to use their own servers to imitate NordVPN.
NordVPN has always claimed a “zero logs” policy, as many VPNs do, at least the good ones. NordVPN claims, “We don’t track, collect, or share your private data.”
The company admitted that one of its data centers was accessed in March 2018, with NordVPN spokesperson Laura Tyrell admitting, “One of the data centers in Finland we are renting our servers from was accessed with no authorization.”
Tyrell further explained that “usernames and passwords couldn’t have been intercepted,” as none of the company’s applications “send user-created credentials for authentication.” The expired private key couldn’t have been used to decrypt the traffic on any other server.
A senior security researcher who reviewed NordVPN’s statement as well as other evidence of the breach opined after the breach first hit the news, “While this is unconfirmed and we await further forensic evidence, this is an indication of a full remote compromise of this provider’s systems.”
“That should be deeply concerning to anyone who uses or promotes these particular services.”
To pacify its customers, NordVPN is making changes. Its team of penetration testers will now work with the VerSprite cybersecurity firm on comprehensive penetration testing, intrusion handling, and source code analysis. VerSprite will also aid NordVPN in forming an independent cybersecurity advisory committee.
Most likely because they don’t want to be embarrassed in this way again, NordVPN is going to introduce a bug bounty program in the coming weeks. They also vow to conduct a complete full-scale third-party independent security audit in 2020.
NordVPN now plans to use servers that they own, though it will still be in rented data center space. The company also has plans to replace its infrastructure with diskless services, meaning nothing will be stored locally.
Did NordVPN Lose Its Trust?
Anyone using a VPN already has privacy concerns. So when they look at this breach, it’s with the knowledge that the information they sought protection for wasn’t as safe as they wanted. Knowing that the company plans to make changes may not be enough.
Are you a NordVPN user? Does this news concern you? Are you less concerned after reading how NordVPN will change its operation? Share your thoughts and concerns in the comments section below.