NordVPN, a major virtual private network provider with 12 million users worldwide, today disclosed that it suffered a security breach last year.

VPN applications such as NordVPN aim to enhance users’ privacy by routing their web traffic through encrypted connections that are for all intents and purposes isolated from the rest of the network. The connections run through servers operated by the service provider. 

According to NordVPN, last year’s breach saw a hacker compromise one of the rented servers it used for this purpose. The machine in question was running inside a Finnish data center and belonged to an unnamed hosting firm with whom NordVPN has since severed ties. The attacker gained accessed by exploiting a vulnerable remote management application that the hosting firm had installed on the server without notice, NordVPN said. 

NordVPN technicians discovered the breach a few months ago and launched a security audit. The provider claims that no usernames or passwords were exposed, nor could the hacker exploit the compromised server to decrypt traffic processed by other nodes.

“There are no indications than any of our customers were affected and their data was intercepted by a malicious actor,” the company said in a statement. “The tunnel itself is safe and never been hacked. Our core databases, our code and the service itself are also secure and have not been affected. It was single access to one of more than 5,000 servers we have. The hacker managed to access this server because of the mistakes done by a data center owner.”

The attacker did have access to the web activity of users whose requests were routed through the compromised machine. Moreover, TechCrunch reported, attackers may have had the ability to set up malicious servers masquerading as NordVPN systems. A security researcher who spoke with the outlet on condition of anonymity described the incident as “deeply concerning.”

NordVPN said it’s taking steps to avoid similar breaches in the future. The provider is preparing to launch a new security audit of its infrastructure, intends to retain outside experts for an independent evaluation next year and will set up a bug bounty program. Bug bounty programs encourage the cybersecurity community to report weaknesses in a company’s systems by offering financial rewards for submissions.

NordVPN’s disclosure comes just hours after Avast Software s.r.o., one of the world’s largest antivirus providers, revealed that its network was breached via a poorly configured VPN account. The company said it believes that the hackers were targeting the business unit responsible for developing its CCleaner tool for removing unwanted files. 

Photo: Unsplash