Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

TorGuard, NordVPN Respond to Breach Reports

VPN providers TorGuard and NordVPN have responded to reports that their systems have been breached, and both blame the incident on a third-party service provider.

Hackers have leaked private RSA keys and information on configuration files that were stolen from a NordVPN server last year.

VPN providers TorGuard and NordVPN have responded to reports that their systems have been breached, and both blame the incident on a third-party service provider.

Hackers have leaked private RSA keys and information on configuration files that were stolen from a NordVPN server last year.

At least three private keys appear to have been stolen from the server, including one from an older NordVPN website certificate and two OpenVPN keys.

The data was leaked online in reaction to a NordVPN Twitter message that stated, “Ain’t no hacker can steal your online life. (If you use VPN). Stay safe,” which the company has already taken down, claiming it lacked editorial oversight.

“The infosec community’s critique, as always, was swift and precise, pointing out the overstatement. The ad was removed right after it was noticed by our management. We did this not because we hoped to kill the ongoing discussion – we are well aware of the opposite effect,” the company said in a tweet.

Shortly after the keys were posted online, the first analysis results emerged, and some suggested that the site key could have been used to perform man-in-the-middle (MiTM) attacks by setting up fake servers.

Others pointed out that, although a MiTM was possible using the key that belongs to the now old and retired TLS certificate, it could not have been used to decrypt stored VPN traffic.

In their official response, NordVPN confirmed that hackers accessed one of their servers and stole the TLS key, but said they could only use it to perform “a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.”

Advertisement. Scroll to continue reading.

“[T]he key couldn’t possibly have been used to decrypt the VPN traffic of any other server,” the VPN service provider says.

The company claims that the information was stolen last year from a server housed by a datacentre in Finland and that the configuration file leaked on the Internet ceased to exist on March 5 last year.

“The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed,” the company says.

NordVPN also explains that they only learned about the incident several months back and that they immediately launched an investigation and terminated the contract with the server provider, not before shredding all servers rented from them.

The company says they already checked their entire infrastructure to make sure no other server could have been exploited in the same way, and that they also accelerated the encryption of all their servers.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” NordVPN says.

The company also noted that this was an isolated incident and that only one of their datacentre providers was impacted.

One of the issues that surfaced during the snafu was that NordVPN wasn’t practicing secure PKI management, the same as VikingVPN, which was also impacted in the breach (it was using the same datacentre provider).

What’s more, TorGuard too was using the server provider and was hit, yet it was the only VPN service provider of the three to be practicing secure PKI management.

“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,” the company said in a blog post.

Related: NSA: Multiple State-Sponsored APTs Exploiting Enterprise VPN Flaws

Related: Enterprise VPN Vulnerabilities Expose Organizations to Hacking, Espionage

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...