NordVPN Hacked: Another One Bites the Dust?

Last updated: January 19, 2023
William Sams
William Sams
NordVPN, the recommended choice by many for "online security and privacy", has confirmed it was hacked. Read all details about the incident in this post.

NordVPN Hacked

In the latest of scandals, NordVPN is up in flames on Twitter and Reddit, as news breaks out about them being hacked. For a service touting itself as a security maximalist for the longest; the irony has created an environment of cold burns for Nord’s users.

Before I go into the details, I’d like to mention that BestVPN.co has removed the provider from our recommended listings, until we do not receive a proper answer (one that makes sense) from Nord regarding this awful incident.

Alternative: As per the comparison chart, ExpressVPN is better than NordVPN (checkout in-depth analysis)

Some Background into the NordVPN Hack

The news typically gained prominence, following TechCrunch’s post “NordVPN confirms it was hacked“. However, the discussion and allegations began from Twitter; after NordVPN itself invited trouble by triggering the InfoSec community.

NordVPN Signing Its Death Warrant

This tweet was pretty much all it took for the provider to get into the spotlight of the wrong people. Soon after it going live, the twitter user @le_keksec gave a reply indicating that NordVPN may have been hacked at some point, as their private keys were leaked.

NordVPN Private Keys Floating Online

Keksec verified that this was not their work, and these private keys were just floating around unnoticed on the internet (wow).

They even shared the link to the private keys via share.dmca , after which the twitter user @hexdefined verified that NordVPN had indeed been compromised. He even released the cert that matches the private key: https://crt.sh/?id=10031443

As I delved deeper into the issue, it came to light that NordVPN had employed the incredibly weak 2048 bit Diffie-Hellman Params, and that traffic during the hack could have been decrypted for at least an hour, affecting over 50-200 Nord users.

Following all these “accusations”  on Twitter, NordVPN released a series of three tweets, claiming that their marketing department got ahead of themselves with the overstatement above, and that they will provide an official statement soon.

NordVPN Replying to the Overstatement

After these tweets, NordVPN released their official statement, wherein they state that the breach only affected “A SINGLE SERVER” and not the entire service, followed by claims that TechCrunch’s “assumptions” are inaccurate.

The Blame Game Between Nord and Creanova (Data Center)

The hack also affected two other VPN services; TorGuard and VikingVPN. The latter and NordVPN were not practicing secure PKI management, whereas TorGuard did employ it.

This is one reason why none of their VPN users were affected by this breach and their CA key was not stolen, as it was not present on the compromised server.

However, we will talk about that later, as right now NordVPN’s response needs to be addressed. They stated, “We became aware that on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.

The attacker gained access to the server by exploiting an insecure remote management system left by the data center provider while we were unaware that such a system existed.”

NordVPN said that soon after this incident they launched a thorough internal audit and created a process to move all of their servers to a RAM infrastructure, similar to ExpressVPN’s TrustedServer infrastructure and technology.

Reading the official statement, there were two takeaways; NordVPN only confirmed news about the hack after it was discovered on Twitter (violating GDPR’s data breach policy), and they put much of the blame on the third-party data center, Creanova!

Nord violated the GDPR by confirming the breach on October 20th, when it actually occurred in March 2018. Secondly, the put the blame on Creanova, which claims that NordVPN is the one that is actually careless about security.

CreaNova's Statement about the Breach

After the statement above spread like wildfire, NordVPN hit back at Creanova with proof that the remote management software (the hackers eventually breached) was installed without their knowledge.

NordVPN's Response to Creanova

Who’s the One Actually at Fault?

As a VPN reviewer , I consider this situation incredibly alarming and would place more accountability at the hands of Nord, especially when you factor in its main selling point; how secure their product is (and how it was positioned top at CNet, PCMag, and TechRadar).

Not to mention, they were also previously involved in a lawsuit filed by TorGuard, following a bug bounty program. Apparently, Nord threatened one of TorGuard’s affiliate to take down negative connotations about their product, after identifying a vulnerability.

As such, this may make one wonder, whether NordVPN has only focused on its branding (even getting mentioned by Think With Google), without prioritizing on aspects of security, despite marketing it rigorously for the same.

Also, a fair warning to others working in the cyber-security industry, NEVER advertise that you can’t be hacked.  Twitterati’s will drag you through the mud for such sweeping statements. My sympathies for the marketing department of NordVPN.

2 Responses to NordVPN Hacked: Another One Bites the Dust?

  1. Maria Hernandez says:

    “NordVPN said it is now holding their datacenter partners to “even higher standards” and is working on a bug bounty program.”

    Now?? I am afraid it’s a bit late for that. How about setting standards and using frequent inspections before the horse leaves the barn???

    And to make the story even more ludicrous; NordVPN was always highly recommended (even here, multiple times), so you can imagine how bad the lesser ones are….!!

    • Bestvpn.co says:

      Thanks for replying Maria. Like you said its a little too late for them to do anything. The ball is not in their court anymore. And yes, we did recommend the provider, mostly for streaming/torrenting, but now have removed it from our listings entirely, following this unfortunate hacking incident. Did not expect Nord to get hacked out of all services.

Leave a Reply

Your email address will not be published. Required fields are marked *