Security Experts:

Connect with us

Hi, what are you looking for?



TorGuard, NordVPN Respond to Breach Reports

VPN providers TorGuard and NordVPN have responded to reports that their systems have been breached, and both blame the incident on a third-party service provider.

Hackers have leaked private RSA keys and information on configuration files that were stolen from a NordVPN server last year.

VPN providers TorGuard and NordVPN have responded to reports that their systems have been breached, and both blame the incident on a third-party service provider.

Hackers have leaked private RSA keys and information on configuration files that were stolen from a NordVPN server last year.

At least three private keys appear to have been stolen from the server, including one from an older NordVPN website certificate and two OpenVPN keys.

The data was leaked online in reaction to a NordVPN Twitter message that stated, “Ain’t no hacker can steal your online life. (If you use VPN). Stay safe,” which the company has already taken down, claiming it lacked editorial oversight.

“The infosec community’s critique, as always, was swift and precise, pointing out the overstatement. The ad was removed right after it was noticed by our management. We did this not because we hoped to kill the ongoing discussion – we are well aware of the opposite effect,” the company said in a tweet.

Shortly after the keys were posted online, the first analysis results emerged, and some suggested that the site key could have been used to perform man-in-the-middle (MiTM) attacks by setting up fake servers.

Others pointed out that, although a MiTM was possible using the key that belongs to the now old and retired TLS certificate, it could not have been used to decrypt stored VPN traffic.

In their official response, NordVPN confirmed that hackers accessed one of their servers and stole the TLS key, but said they could only use it to perform “a personalized and complicated MiTM attack to intercept a single connection that tried to access”

“[T]he key couldn’t possibly have been used to decrypt the VPN traffic of any other server,” the VPN service provider says.

The company claims that the information was stolen last year from a server housed by a datacentre in Finland and that the configuration file leaked on the Internet ceased to exist on March 5 last year.

“The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed,” the company says.

NordVPN also explains that they only learned about the incident several months back and that they immediately launched an investigation and terminated the contract with the server provider, not before shredding all servers rented from them.

The company says they already checked their entire infrastructure to make sure no other server could have been exploited in the same way, and that they also accelerated the encryption of all their servers.

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” NordVPN says.

The company also noted that this was an isolated incident and that only one of their datacentre providers was impacted.

One of the issues that surfaced during the snafu was that NordVPN wasn’t practicing secure PKI management, the same as VikingVPN, which was also impacted in the breach (it was using the same datacentre provider).

What’s more, TorGuard too was using the server provider and was hit, yet it was the only VPN service provider of the three to be practicing secure PKI management.

“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,” the company said in a blog post.

Related: NSA: Multiple State-Sponsored APTs Exploiting Enterprise VPN Flaws

Related: Enterprise VPN Vulnerabilities Expose Organizations to Hacking, Espionage

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.