NordVPN, providers of a widely used virtual private network (VPN) service, confirmed a breach of one its data centers in March 2018. The company said an attacker gained access to a server at a data center in Finland by exploiting an insecure remote management system left by the data center provider, a system NordVPN said they never knew existed.
"The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted either," the company said in an official statement.
NordVPN didn't name the data center provider but said that it terminated its contract with the server provider and shredded all of the servers it had been renting from them. NordVPN said it found out about the breach a few months ago, yet waited to disclose the incident to ensure that the rest of its infrastructure was secure.
Over the weekend, security researchers discovered that NordVPN had an expired private key exposed, which would allow anyone to set up a server imitating NordVPN. According to NordVPN, the TLS key was taken at the same time the data center was exploited.
"However, the key couldn't possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN."