VPN providers TorGuard and NordVPN have responded to reports that their systems have been breached, and both blame the incident on a third-party service provider.
Hackers have leaked private RSA keys and information on configuration files that were stolen from a NordVPN server last year.
At least three private keys appear to have been stolen from the server, including one from an older NordVPN website certificate and two OpenVPN keys.
The data was leaked online in reaction to a NordVPN Twitter message that stated, “Ain’t no hacker can steal your online life. (If you use VPN). Stay safe,” which the company has already taken down, claiming it lacked editorial oversight.
“The infosec community’s critique, as always, was swift and precise, pointing out the overstatement. The ad was removed right after it was noticed by our management. We did this not because we hoped to kill the ongoing discussion – we are well aware of the opposite effect,” the company said in a tweet.
Shortly after the keys were posted online, the first analysis results emerged, and some suggested that the site key could have been used to perform man-in-the-middle (MiTM) attacks by setting up fake servers.
Others pointed out that, although a MiTM was possible using the key that belongs to the now old and retired TLS certificate, it could not have been used to decrypt stored VPN traffic.
In their official response, NordVPN confirmed that hackers accessed one of their servers and stole the TLS key, but said they could only use it to perform “a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.”
“[T]he key couldn’t possibly have been used to decrypt the VPN traffic of any other server,” the VPN service provider says.
The company claims that the information was stolen last year from a server housed by a datacentre in Finland and that the configuration file leaked on the Internet ceased to exist on March 5 last year.
“The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed,” the company says.
NordVPN also explains that they only learned about the incident several months back and that they immediately launched an investigation and terminated the contract with the server provider, not before shredding all servers rented from them.
The company says they already checked their entire infrastructure to make sure no other server could have been exploited in the same way, and that they also accelerated the encryption of all their servers.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” NordVPN says.
The company also noted that this was an isolated incident and that only one of their datacentre providers was impacted.
One of the issues that surfaced during the snafu was that NordVPN wasn’t practicing secure PKI management, the same as VikingVPN, which was also impacted in the breach (it was using the same datacentre provider).
What’s more, TorGuard too was using the server provider and was hit, yet it was the only VPN service provider of the three to be practicing secure PKI management.
“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,” the company said in a blog post.
Related: NSA: Multiple State-Sponsored APTs Exploiting Enterprise VPN Flaws
Related: Enterprise VPN Vulnerabilities Expose Organizations to Hacking, Espionage