Yesterday, in a message on its site, NordVPN admitted that its servers had been breached by a third party, and had been left vulnerable for a short window.
The attack occurred in March of last year, but was only discovered by the company earlier in 2019. Yesterday's announcement was the first time the issue has been publicly disclosed. NordVPN claims that while it has taken the attack seriously and dealt with the issue, no user information was taken in the attack.
We take a look at how the breach happened, and the consequences for NordVPN users.
How Did the NordVPN Breach Happen?
There had been rumors on Twitter of a security breach at NordVPN previously. Yesterday, the company itself posted on its own blog to confirm it had indeed experienced an attack from a third party. In a post titled “Why the NordVPN network is safe after a third-party provider breach”, the company explained that the breach had originally taken placed in March 2018, but wasn't discovered until earlier this year.
NordVPN states that it hadn't disclosed the attack initially, as it wanted to ensure that it had fully closed the vulnerability and addressed the problem first. This is a very common approach in online security reporting.
So, what actually happened? According to NordVPN, a third party was able to access a remote management system based in Finland, which the company is at pains to point out in its blog was left open by the datacenter provider. NordVPN claims that it was unaware that the system even existed, and makes no qualms about transferring the blame to the third party. Using a remote access tool, it would be possible to connect to the datacenter and its available information..
In its statement, NordVPN says that it has traced a configuration file, which then ceased to exist on 5 March 2018. This means that, in theory, the window of access was short. Furthermore, the datacenter provider itself removed the remote access tool a few days later, on 20 March 2018.
What are the Consequences for NordVPN Users?
On the surface, the breach appears to be a concern. Any privacy threat, no matter how small, should always be taken seriously and addressed immediately. Crucially, NordVPN doesn't collect data logs on its systems, which means that none of its user data would be available to nefarious third parties. No usernames, no passwords, nothing that could identify an individual.
However, that's not to say that the breach was entirely harmless. Although somewhat complicated, there is a way that information may have been accessed, which is via a Man in the Middle Attack. In such instances, a third party intercepts data in real time while the customer uses the service. It's somewhat limited, in terms of the data that can be accessed, but it's still a viable threat that should be taken seriously.
Luckily for NordVPN users, the actual window of the attack was so small, it's doubtful that the third party got away with much information.
In its statement, NordVPN has said that no user credentials were intercepted, and that no other servers (of which the company has over 3,000) had been breached. The affected server has been removed from service, and the contract with the server provider has been terminated.
In addition, the company is currently carrying out a security audit, and has plans for a bug bounty program next year. It appears that the breach has left the company someone shocked, and has spurred it to take ever more precautions in the future.
Is Using a VPN Safe?
In reality, no online service is 100% infallible. The biggest names in the business, from Google to Facebook, Microsoft to Twitter, have all experienced a data breach at some time. While it's always alarming to hear of such cases, it's the reaction from the company afterwards that is key.
In this case, it appears that NordVPN has made all the right noises with its approach to remedying the situation. Some might be concerned about the lateness of the disclosure. But, it's standard to ensure that the issue is fixed before going public, so as not to encourage copycat attacks.
Another reason the NordVPN attack is not as alarming as it could have been for other companies, is the strict ‘no logs‘ policy that it operates. NordVPN promises not to collect or record any of its user data. This includes session information, bandwidth, traffic data, IP addresses and so on. Without this information available, access to the company's servers becomes a lot less desirable, purely because there's very little worth taking.
Not all VPNs operate in the same fashion, and during our research, we've found that some, especially free VPNs, not only keep a treasure trove of your user data, but also sell it to advertisers. Some even allow their paid users to piggyback off your bandwidth. Just one of the many reasons we'll always suggest you pay a few bucks a month for a decent VPN, rather than risk your privacy with a free VPN service.
Check out our reviews of the most secure VPNs to choose, extensively tested by us, including specific tests that rate how safe each one is.
Alternatives to NordVPN
If you're looking for a VPN and don't want to use NordVPN, there are plenty of other options out there, many of which we've reviewed in our extensive VPN tests.
In our experience, the best of the bunch is PureVPN, a fantastic VPN package that marries security and usability – and won't cost you the earth. There's a reason PureVPN is Tech.co's highest rated VPN software. Features like ‘Ozone' and ‘Gravity' really help elevate PureVPN above its peers. Ozone offers antivirus blocking, as well as content filtering tools, and Gravity is the service's ad-blocker that stops adverts appearing in your browser. PureVPN also operate a zero log policy, so that your details won't be left vulnerable. Oh, and it works with Netflix too – a stumbling block for many VPNs – although you'll need to use a dedicated browser plug-in.
Another great alternative is IPVanish, which also scores well in our tests and comfortably resides in the top three VPNs of all we've tested. While it's more suited to those that have used a VPN before, and like the idea of having plenty of features to tinker with, there's a rich depth to the application that means you can get a lot out of it. The dedicated Windows app is especially powerful, allowing users to change to different kinds of leak protection, activate the killswitch of obfuscate your traffic. Like PureVPN, it also has a great set of security features that lock up your data tight. It's not the cheapest out there, but at around $10, it's not going to put much of a dint in your monthly outgoings, and for the features, it's still good value.