Update 23 October 09:57 UTC: NordVPN has directly reached out to members of the press in an attempt to clarify the finer points of the story.

While the majority of the points raised were already known, the timeline of events which transpired has changed.

A NordVPN spokesperson told us the following:

“The affected server was brought online on 31 January 2018.

“Evidence of the breach appeared in public on 5 March 2018. Further evidence suggests that this information only became available soon after the breach actually occurred.

“The potential for unauthorized access to our server was restricted when the data center deleted the undisclosed management account on 20 March 2018.

“The server was shredded on April 13 2019 – the moment we suspected a possible breach.”

Previously, NordVPN had claimed that it first obtained knowledge of the breach in April of this year – it would now seem that it first suspected  a breach more than a year prior to that, in March 2018.

We have responded to NordVPN with further questions.

Update 22 October 16:48 UTC: NordVPN has alleged that Creanova, a datacenter company from which NordVPN rented servers in Finland, was responsible for the March 2018 data breach, due to “very bad security practices.”

Speaking to a Bloomberg reporter, Creanova CEO Niko Viskari responded: “We can confirm [NordVPN] were our clients. And they had a problem with security but because they do not take care of security by themselves.”

Viskari confirmed that Creanova’s servers include remote access tools, which “[have] security problems from time to time.”

But he contended that: “We have many clients and some large VPN providers among them who take care of security… They pay more attention to this than NordVPN.”

According to Viskari, most VPN providers ask for remote access ports to be put inside private networks or shut-down entirely until they are needed. He claims NordVPN has been negligent and is unfairly putting the blame for the breach on Creanova.

NordVPN has responded to Viskari’s statement, saying Creanova “installed a remote management solution without our knowledge.”

As of the time of publishing, the NordVPN warrant canary reads “We, NordVPN, confirm that we take full control of our infrastructure. It has never been compromised or suffered a data breach.” In the light of the last few days’ revelations, these two sentences do not appear fully compatible.

Our original story, first published on 21 October 2019, follows.

NordVPN has confirmed allegations that one of its servers was hacked in March 2018.

In NordVPN’s official statement, spokesperson Daniel Markuson said: “On March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.”

The anonymous 8chan user who revealed the NordVPN key also posted links to OpenVPN keys for servers belonging to VPN providers Torguard and VikingVPN.

In its own statement on the leak, TorGuard has said “TorGuard first became aware of this disclosure during May of 2019… The single TorGuard server that was compromised was removed from our network early in 2018 and we have since terminated all business with the related hosting reseller because of repeated suspicious activity.”

Neither NordVPN nor TorGuard have revealed the identity of the hosting reseller, but TorGuard claims: “This server was not compromised externally and there was never a threat to other TorGuard servers or users.”

According to NordVPN the server was accessed by exploiting an insecure remote management system left by the datacenter provider.

Markuson said: “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

He clarified that the key could not have been used to decrypt the VPN traffic on any other server, and that no other servers were affected by this particular breach.

Speaking to TechCrunch NordVPN spokesperson Laura Tyrell said: “The only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”

A man-in-the-middle attack is a serious security breach which could allow a third party to eavesdrop, intercept, or even alter communication between the user and the server.

The breach occurred in March 2018, and in early May 2018 links were posted to the controversial and now-offline message board, 8chan.

However, NordVPN claims to have only known about the breaches for the “last few months.”

Information about the leaks was posted by twitter user @hexdefined yesterday morning, 20 October 2019, apparently in response to a since-deleted post from NordVPN stating: “Ain’t no hacker can steal your online life. (If you use VPN). Stay Safe.”

A screenshot of the deleted NordVPN tweet

NordVPN’s deleted tweet

On Twitter NordVPN claimed that it removed this post “not because we hoped to kill discussion… we removed it because the text lacked editorial oversight.”

Explaining why the company has waited until today to release information about the leak Tyrell said NordVPN wanted to wait until it could be “100% sure that each component within our infrastructure is secure.” She did not make reference to the story having circulated on Twitter over the previous day.

Simon Migliano, Head of Research at Top10VPN.com, commented on the failure of NordVPN to properly justify keeping its knowledge of the leak confidential: “The news of NordVPN and Torguard being hacked in 2018 is very alarming, and it appears that both VPN companies have carried out inadequate audits of some of the rented servers within their server networks.

“While only one of NordVPN’s servers had been breached, this incident should have never happened in the first place.

“On top of security concerns, it’s also disappointing to learn that NordVPN knew about the breach ‘a few months ago’ but decided not to inform its customers about it. While we appreciate that it takes time to carry out an exhaustive security audit to ensure the rest of the server network isn’t vulnerable, it shouldn’t have taken this long had the check been made a priority. We certainly expect more transparency from one of the leading VPN providers on the market.”

VikingVPN has yet to release a statement on the breach.