NordVPN confirms it was hacked

I think this is a good illustration of what Leo has been saying recently. It’s not enough to just use any VPN, since you’re just ‘kicking the can down the road’, you need to trust the provider. It seems like they don’t keep logs, but still, pretty concerning. I know NordVPN have been advertising very heavily for a while now, a lot of YouTube and Twitch sponsorships etc, so a lot of people impacted by this.

Edit: Here’s their official statement:


The official statement seems to be an open and detailed admission of what went wrong and what they’re doing to improve. Am I being gullible in finding it reassuring?

The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the data center provider, which NordVPN said it was unaware that such a system existed.

Makes you wonder how they are auditing their partners.


As long as I can kick my can just far enough down the road so my ISP can’t get at it, fill it with personalized ads, and kick it back in my face…


I am curious about that data center, why was remote management left publicly available. I worry about their other customers, how many others servers are exposed?


Yeah, reminds me of the days when I had to worry about access to the DRAC/iLO systems that we ordered for our physical boxes - keeping them out of harms way. Apparently, this provider didn’t seem to think much of it. Weird.

But, I do have to say, Nord’s damage control is decent - they didn’t have to say much and could have hid it - which doesn’t convey much trust with what ends up being a security solutions provider… :hear_no_evil:

Good point. I also want to know who their data center provider was. That firm needs to be exposed.

Glad i never used that findland server, But its hard to say if the really got any customer info other than the ones connecting there. Lets say the got into the server remote admin system, my guess it would be any server that was there so who else was exposed? I think this may go deeper than just nordvpn, so we may here of others, then again is findland part of the gdpr?

Its not been a good time for them. They had problems with their VPN client as well last summer.

Honestly can’t understand why nobody is talking about the data center more? They are the ones who left a PUBLIC access tool out there, a mistake like this seems almost intentional. As well, as the backlash nordvpn is receiving looks a bit too large, as in reality nothing serious happened.