As you have probably already read in the news, it has come to light that back in March 2018 one of NordVPN’s servers was compromised. This allowed hackers to see which websites users were visiting.
NordVPN has known about this for months but says – in a blog post - that it chose not to disclose the breach to the media or its users until it had finished conducting an audit of its other 5000 servers.
Whether you’re a NordVPN subscriber, considering subscribing or a user of another consumer VPN server, you’re undoubtedly wondering what it all means and, above all, if the service is safe to use.
How and why was NordVPN hacked?
The reason why the server (which was located in Finland) was compromised was because it was owned and operated by a third party, not by NordVPN. Unfortunately, renting servers in this way is common practice for consumer VPNs which effectively use the same cloud technology as other services.
The datacentre which ran the server installed some remote access software on it without informing NordVPN, and this software had a vulnerability which was exploited in March 2018 by a hacker.
Tech Advisor was sent a copy of an email from this datacentre, which explained that the software was installed on all their servers and was well known to have security holes. It claimed that other VPN providers also used its servers and paid more attention to security, asking the datacentre to block access to the tool until they need it. It went on to say “NordVPN seems do not pay more attention to security by themselves and somehow try to put this on our shoulders”.
At the time of the attack, NordVPN was not encrypting the hard disks in its rented servers, so the hacker was able to steal encryption keys. These have since expired and NordVPN says the keys could not have been used to decrypt NordVPN traffic in any case.
Nord’s blog post includes a full apology for “an egregious mistake” and admits that the company “should have done more to filter out unreliable server providers and ensure the security of our customers”.
It also said that the breach was an isolated incident and none of its 5000 other servers were compromised.
Will NordVPN be hacked in the future?
It’s unwise for any consumer VPN service to claim that it offers 100 percent security and privacy. And that applies especially when it rents its servers from datacentres.
We spoke to a representative for Nord who told us that it now encypts the hard drives in all of its servers and is working towards a system where the software works entirely in RAM and writes no data to the hard drive at all. One of its main rivals – ExpressVPN – already operates such a system, which it calls TrustedServer technology.
This should mean NordVPN is much less susceptible to this kind of attack. It has also revised its standard for current and future datacentre providers “to ensure that no similar breaches could ever happen again.”
Should I use NordVPN?
As we said at the start, it depends upon why you’re using a VPN. Some news reports say that NordVPN’s lax security measures were putting activists’ lives at risk, but the company itself countered that by stating that it operates a zero-logs policy, so no individual user could be identified as having visited a particular website. All the hackers could see was the addresses of the sites being visited by users on that server – they couldn’t see the content users were viewing.
So, if Nord is telling the truth, no lives were at risk. However, if you are using a VPN because your life depends upon it, the best advice is not to use a consumer VPN service at all. Instead, use an enterprise-grade VPN. It will cost more, but will also offer a superior level of privacy and security.
On the other hand, if you just want to access region-locked content or get some privacy when browsing the web for things that don’t involve breaking the law, then you’re safe to use NordVPN.
The compromised server meant that the hackers could view the same sort of data as your ISP has access to, so given that this is exactly what VPNs are supposed to shield you from, it’s disappointing that NordVPN wasn’t able to prevent this happening.
There’s no doubt that the breach will damage NordVPN’s reputation, and it admits that it is a significant setback.
It also shows that you can’t guarantee security and privacy even if you pick one of the best-known VPNs in the business.
Hopefully NordVPN has learned its lesson and will stick to its promise of raising standard to make sure this can’t happen again. But it needs to earn users’ trust once more, and really we only have Nord’s word to go on that it has improved security practices and that this sort of thing won’t happen again.
However, as a consumer, you also have to trust the word of any other VPN provider that it has put the best security in place, but this has certainly highlighted why it can be a good idea to choose one which owns and operates its own hardware as well as software.