An unidentified security researcher pointed to the breach, indicating that an expired private key had been exposed, meaning that someone else could masquerade as NordVPN.
Another unidentified researcher tweeted that two other VPN providers, VikingVPN and TorGuard — which has no connection to the Tor browser — had also been compromised.
https://t.co/maZBOR6FVD is the source. Also includes some hacks of VikingVPN and TorGuard. VikingVPN also wasn't practicing secure PKI management. TorGuard was though. The last link in that post appears to be 8chan itself, which had a .bash_history exposed.— ᓭ cryptostorm ᓯ (@cryptostorm_is) October 21, 2019
In a blog post on Monday, the company's blog editor Daniel Markuson did not name the data centre provider in Finland.
"The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either," Markuson said.
I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it).— undefined (@hexdefined) October 21, 2019
Why was this never detected?
"The exact configuration file found on the Internet by security researchers ceased to exist on 5 March 2018. This was an isolated case, and no other data centre providers we use have been affected."
Markuson said the data centre operator had noticed the vulnerability and had deleted the remote management account but had not informed NordVPN about it.
"The expired TLS key was taken at the same time the data centre was exploited," he said.
"However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server.
"On the same note, the only possible way to abuse website traffic was by performing a personalised and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com."
Markuson said that NordVPN was not trying to play down the severity of the incident. "Even though only 1 of more than 3000 servers we had at the time was affected, we are not trying to undermine the severity of the issue," he wrote.
"We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers."