Threadripper

Level 8
Read the full Twitter thread here

So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys...

This is running on localhost (with an /etc/hosts entry), but it's what a MitM attempt would look like. Of course, if the key was used before it had expired, there would be no warnings...

And someone just mentioned to me that past encrypted sessions may be able to be decrypted, which is a much bigger issue!

OpenVPN keys were leaked as well as the expired *.nordvpn.com TLS cert. I haven't researched enough about OpenVPN to know if it's using forward secrecy, though you'd hope so

I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it). Why was this never detected?
 

blackice

Level 12
Verified
This is happening with every VPN unfortunately, Ebay is full of jacked accounts. People reuse compromised passwords and never check HaveIBeenPwned making jacking an account with a premium subscription and selling it child's play.
Their Reddit is always full of people saying Nord has been hacked when it always turns out someone used the same password for multiple accounts that got compromised. HaveIBeenPwned is a wonderful resource.
 

Threadripper

Level 8
TorGuard and VikingVPN were also compromised, but more on the topic of NordVPN specifically:
  • Their owners and management are anonymous, they could be literally anybody.
  • They are based in Panama, a tax haven with virtually no digital privacy laws and high levels of law enforcement corruption.
  • Their ads are complete BS, from fake countdowns for deals on their website, to exaggerated "anti-malware" capability" which is just DNS blocking (while this is a good thing, they market it completely inappropriately). They can't even spell Ubuntu right...
    EGltCE7XUAEq8qf.png
  • It was compromised: root access gained, OpenVPN keys leaked and their expired TLS cert leaked.
...and people still trust them.