A NordVPN data breach disclosed when a server in one of their data centers breached in March of 2018.
According to the details released, the server located in a data center in Finland became compromised due to an insecure remote management system. Worse, this was a system that NordVPN never even knew existed. The company learned of the breach some months ago but withheld disclosing the details until they could be sure that their systems were secure. In the meantime, they quietly terminated their contract with the provider and shredded the servers the company rented from them.
As the official statement released by the company explained:
"The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted."
Researchers also discovered that the NordVPN data breach had an expired private key left inadvertently exposed. Thie private key would have allowed anyone who gained access to it to set up a server that imitated NordVPN.
The company addressed this point as well, saying:
"...the key couldn't possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN."
The fact that it happened at all is troublesome. In any case, according to the official statements released by the company and informed by their ongoing investigation, it doesn't appear that any sensitive user data was exposed. So if you're a NordVPN user, you can breathe a sigh of relief about that. Stay tuned for additional updates from the company.