I think this is a good illustration of what Leo has been saying recently. It’s not enough to just use any VPN, since you’re just ‘kicking the can down the road’, you need to trust the provider. It seems like they don’t keep logs, but still, pretty concerning. I know NordVPN have been advertising very heavily for a while now, a lot of YouTube and Twitch sponsorships etc, so a lot of people impacted by this.
The official statement seems to be an open and detailed admission of what went wrong and what they’re doing to improve. Am I being gullible in finding it reassuring?
The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider, which NordVPN said it was unaware that such a system existed.
Makes you wonder how they are auditing their partners.
I am curious about that data center, why was remote management left publicly available. I worry about their other customers, how many others servers are exposed?
Yeah, reminds me of the days when I had to worry about access to the DRAC/iLO systems that we ordered for our physical boxes - keeping them out of harms way. Apparently, this provider didn’t seem to think much of it. Weird.
But, I do have to say, Nord’s damage control is decent - they didn’t have to say much and could have hid it - which doesn’t convey much trust with what ends up being a security solutions provider…
Glad i never used that findland server, But its hard to say if the really got any customer info other than the ones connecting there. Lets say the got into the server remote admin system, my guess it would be any server that was there so who else was exposed? I think this may go deeper than just nordvpn, so we may here of others, then again is findland part of the gdpr?
Honestly can’t understand why nobody is talking about the data center more? They are the ones who left a PUBLIC access tool out there, a mistake like this seems almost intentional. As well, as the backlash nordvpn is receiving looks a bit too large, as in reality nothing serious happened.