NordVPN Suffered a Security Breach, Denies Being Hacked

October 21, 2019, 10:44 PM UTC

VPN users typically have a vested interest in having extra privacy while they’re online. But even VPNs can be compromised, which is what happened to NordVPN in March 2018, when one of its servers was breached. News of the compromise surfaced earlier Monday, though the company maintains that it was not hacked.

Announcing that one of its third-party servers in Finland had been compromised, NordVPN disclosed that no other servers were affected and that user activity, passwords, or usernames were not located on the breached server. The server was in use from Jan. 31, 2018, through March March 5, 2018, according to the company. The server that was breached does not exist anymore, the company said, and it has terminated the contract with the server provider.

“We failed by contracting an unreliable server provider and should have done better to ensure the security of our customers,” NordVPN spokesperson Daniel Markuson said in a statement. “We are taking all the necessary means to enhance our security.”

The breach came when a hacker exploited an expired key to access the server. But since the server contained no user activity logs, and none of the VPN’s applications send user-created credentials for authentication, the company said, usernames and passwords for the service could not have been intercepted either. In addition, the method used to breach the network could not be used to compromise Nord’s other servers.

Since the news broke earlier Monday, multiple outlets have reported that NordVPN had been hacked, a claim the company explicitly denies.

“I would like to stress out that our service has not been hacked,” Laura Tyrell, NordVPN’s head of public relations, told Fortune in an email, adding that the breach was an isolated case.

Semantics aside, security breaches of any kind are worrying, especially for VPN businesses. As for why Nord didn’t disclose the breach earlier, Markuson said the company wanted to make sure none of its other infrastructure could be prone to similar issues. The company also said it’s rethinking which third-party data centers it works with.

More must-read stories from Fortune:

—The wireless industry needs more airwaves, but it’s going to be costly
—Demand for Apple’s new iPhone 11 is strong—How to claim a cash settlement of up to $358 for Yahoo’s data breaches
—Now hiring: people who can translate data into stories and actions
—Investors are pouring money into marijuana software. Here’s the latest startup to get funding
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward