Virtual private network services (VPN) company NordVPN has revealed a hacking incident that occurred last year. According to web application security experts, in March 2018 a threat actor broke into one of the company’s servers, located in Finland, exposing some data on the browsing habits of its customers.
NordVPN states that the server did not contain
activity logs, usernames, or passwords. However, the hacker was able to access
a list of sites visited during the intrusion, although the content of those
websites is protected with encryption.
VPN services have become very popular over the
past two years, although many Internet users still don’t know exactly what they
consist of. Web application security experts mention that a VPN service works
by sending users’ Internet traffic through servers in multiple cities or
countries to mask browsing habits, strengthening online privacy.
Tom Okman, NordVPN’s technology advisor, said:
“The person responsible for the attack could have infiltrated the
specified server, intercepting only the traffic and the name of the websites
visited for a short period of time.”
NordVPN also mentioned that the server to which
each user is connected changes approximately every five minutes, although users
can choose which country to establish the connection. In other words, users
might have been exposed, but for very short periods of time and intermittently.
It is estimated that the majority of exposed users are located in Finland,
where the server is located.
Some web application security experts began spreading
the word on this incident over the past weekend. In addition, the message
posted by NordVPN mentions that the intrusion could have lasted months and is
likely to have been performed due to an unsecured remote access system being
installed on the compromised server.
It is estimated that the server remained
compromised from January 31 to March 20, 2018, although the hacker would have
only violated the security of the deployment on one occasion during the month
of March.
Regarding possible attacks, the company states
that information stored on the compromised server cannot be used to decrypt
traffic from other servers under its control. Although NordVPN mentions that it
was possible to use a stolen encryption key to deploy a Man-in-The-Middle
(MiTM) attack, the complexity of this attack minimizes the chances of
execution, plus possibly compromised encryption keys have been already revoked.
As an additional security measure, NordVPN
terminated its working relationship with the company in charge of the
compromised server.
Web application security experts from the
International Institute of Cyber Security (IICS) mention that the company is
informing customers about the incident via email, albeit only as a formality,
as the company insists that this is not can be considered a hacking incident:
“This is more of an isolated security breach. No user’s information has
been compromised,” Okman concludes.
