NordVPN has confirmed that a data centre in Finland where it was renting servers suffered a breach back in March 2018, although it has sought to reassure customers that their information is safe.
This breach is notable because it wasn’t NordVPN that held responsibility, but the data centre operator. That’s because the data centre operator had installed an insecure remote management system on the server and then rented it out to NordVPN, without informing the VPN provider of its existence. The attackers then used exploited that flaw and accessed the server.
Thankfully, NordVPN customers didn’t have too much to worry about as NordVPN explains, “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”
After finding out about the breach several months ago, NordVPN says that it underwent an extensive audit of its infrastructure to ensure that no other breach was possible. It found that it was an isolated incident, but it would be moving all of its servers to RAM to further bolster security. What’s more, NordVPN is ensuring that the data centres it works with have higher standards of security.
While NordVPN would not name the data centre responsible for the lax security, it did note that it had severed all ties with the operator. “When we learned about the vulnerability the datacenter had a few months back, we immediately terminated the contract with the server provider and shredded all the servers we had been renting from them,” NordVPN said in a statement.
NordVPN admitted that it had known about the exploit for several months, but defended its decision to not disclose the information immediately. “We did not disclose the exploit immediately because we had to make sure that none of our infrastructure could be prone to similar issues. This couldn’t be done quickly due to the huge number of servers and the complexity of our infrastructure,” it said.