NordVPN, TorGuard and VikingVPN were compromised

Threadripper

Level 9
Thread author
Verified
Well-known
Feb 24, 2019
408
Read the full Twitter thread here

So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys...

This is running on localhost (with an /etc/hosts entry), but it's what a MitM attempt would look like. Of course, if the key was used before it had expired, there would be no warnings...

And someone just mentioned to me that past encrypted sessions may be able to be decrypted, which is a much bigger issue!

OpenVPN keys were leaked as well as the expired *.nordvpn.com TLS cert. I haven't researched enough about OpenVPN to know if it's using forward secrecy, though you'd hope so

I should probably make it clear that whoever compromised NordVPN had root access to a container server, allowing full control of everything in it (presumably including the ability to view and tamper with all network traffic going through it). Why was this never detected?
 

blackice

Level 38
Verified
Top Poster
Well-known
Apr 1, 2019
2,731
This is happening with every VPN unfortunately, Ebay is full of jacked accounts. People reuse compromised passwords and never check HaveIBeenPwned making jacking an account with a premium subscription and selling it child's play.
Their Reddit is always full of people saying Nord has been hacked when it always turns out someone used the same password for multiple accounts that got compromised. HaveIBeenPwned is a wonderful resource.
 

Threadripper

Level 9
Thread author
Verified
Well-known
Feb 24, 2019
408
TorGuard and VikingVPN were also compromised, but more on the topic of NordVPN specifically:
  • Their owners and management are anonymous, they could be literally anybody.
  • They are based in Panama, a tax haven with virtually no digital privacy laws and high levels of law enforcement corruption.
  • Their ads are complete BS, from fake countdowns for deals on their website, to exaggerated "anti-malware" capability" which is just DNS blocking (while this is a good thing, they market it completely inappropriately). They can't even spell Ubuntu right...
    EGltCE7XUAEq8qf.png
  • It was compromised: root access gained, OpenVPN keys leaked and their expired TLS cert leaked.
...and people still trust them.
 

Threadripper

Level 9
Thread author
Verified
Well-known
Feb 24, 2019
408
i will say one of the best among the "commercial" ones.
They're very good at exposing VPN review sites who ask for money to get Windscribe ranked higher. Good thing about Windscribe is I know the owners name, what he looks like and they have a business address I can find... unlike Nord and similar.
Windscribe Transparency
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top