The recent hack of NordVPN was big news in the tech world, but regular web users, if they heard about it at all, just shrugged it off as, yet, another hack. However, any attack on a major VPN provider needs to be taken seriously. Without a dependable VPN, privacy and security on the web vanishes.
“But I have nothing to hide. If you want to see what I’m doing, go right ahead.” This is the common, naive refrain of those who don’t completely understand cybersecurity and privacy. Sure, you may not have anything to hide, but what about your contacts, your friends, your family, or your company? What if your lack of understanding of the importance of privacy leads to a breach at your company? What if that breach is traced to you and your poor use of your device? What if you are subsequently fired? What if you lose your friends or the respect of your family? In other words, yes, privacy is your concern.
Privacy begins with your internet service provider (ISP), because they can see everything you do online. They can save all they learn about you in a file that only they can access. Of course, they may say this file is safe and protected, but, if, for some reason, the government needs to look at your history, odds are pretty good that they will let them. A VPN provider can interfere with this process. They can hide your activities from your internet service provider, but, they, too, can store your history on their servers This is why it is important to find out how the VPN provider protects the information they gather about you.
It’s not only governments that you would need to worry about if the VPN provider doesn’t protect your information. Your information could be vulnerable to hackers as well. This is why some VPN providers don’t maintain any logs of user information. In fact, NordVPN is one of these. As they highlight on their website; “Nothing to store – nothing to share with anyone.” So what happens if a government asks for your data? “If someone asks for it, the best we can do is shrug our shoulders. And we like it that way.”
So, at least on the surface, it would seem impossible for anyone to hack NordVPN and get any information on any user. However, as you might guess, this is not the complete story. NordVPN admits that they have to store some of your information to operate your VPN service. They need to store your email address (after all, they need to communicate with you in case you want to change your password or need other support) and payment information (you may want a refund), They also store cookies to use with Google Analytics and to determine which of their partners may have sent you to their site. The fact that NordVPN does not store much information does not preclude them from watching what you are doing while online. This is made abundantly clear in their terms of service. There are numerous actions that can lead to the suspension of your account. Obviously, for them to know if you have committed one of these illegal actions, they need to watch you or have some third person report you. So, the definition of ‘privacy’ here is a bit fuzzy.
Nonetheless, NordVPN should still be difficult to hack. So what happened? Well, it seems that a server in Finland was hacked through a man-in-the-middle attack. The timeline of the attack is depicted in an explanation from the company.
So it was over a year before NordVPN knew it was hacked and another half year before their customers were informed. The company explains the delay as necessary to insure that no other servers were infected.
But what did the hacker do after they breached the server? The details are slow in coming out but, apparently, once the attacker got access to the server, they stole some encryption keys so that they could deceive some users into thinking they were using the NordVPN server, when, in fact, they were being watched by the attacker.
The attack could be mitigated by the browser which would detect the expired certificate that the attacker would try to use.
At first, NordVPN claimed that only one user was compromised in this way. This made it look like a targeted attack. That’s certainly possible if, say, some repressive government wanted information on one specific person. However, information that has surfaced in the last few days indicates that up to 2000 accounts were compromised. The attackers used something termed ‘credential stuffing’ to gain access to these accounts. Credential stuffing leverages the fact that users use the same passwords on multiple sites. Thus, getting the passwords for one site allows attackers to find the same username on another site and match it to a password they already know. Although Pastebin has taken down many of these dumps, they are still arriving on the site every day.
Sites that evaluate the best VPNs are rapidly dumping NordVPN. At one time, it was a darling among VPNs. As one reviewer wrote, “if pure security is your need, then Nord is one of the options for you, thanks to the provider’s 2048-bit encryption that’d leave even the military impressed – and blocked out.” In the past, such praise was common. Now, you would be hard-pressed to find it listed among any of the top VPNs.
But is this fair? Only one server was breached, after all. However, that’s not what the average VPN user hears. They only hear that NordVPN was hacked and, therefore, cannot be trusted. No matter what Nord does, and it is trying everything, business will inevitably slump. If it survives this slump, it may recover and, after enough time passes, revive its reputation, even though it may have as much security in place as the best VPN services.
In fact, many in the tech world caution about depending too much on any VPN for privacy and security. A VPN is a useful tool for some situations such as spoofing your location so that you can view a website or use a service. VPNs can keep you relatively safe from government surveillance unless you are a high-profile target. I use VPNs to get around China’s ban without much trouble. The fact is that most governments don’t have the time or money to follow every internet user.
Maybe the best outcome of this hack is to highlight these VPN limitations. VPN users should know that their browsing is not completely private. VPN companies that sell you services know what you are doing online and will most likely give up this information if pressed by government agencies. Tor is a safer option, but it is not foolproof. Therefore, it’s best to look at private browsing as an ideal rather than a fact. It is a goal that VPN providers should attain to, but one that they will probably never attain.