NordVPN reveals that it was hacked in March 2018

22 Oct 2019

Image: © BrandonScene/

Popular VPN provider NordVPN was breached in 2018 when a hacker exploited an unsecure remote management system.

Users looking to beef up the privacy of their browsing may be disquieted by the latest breach disclosure, as popular VPN server NordVPN has confirmed that it was hacked.

In an official statement yesterday (21 October), the company explained how a data centre based in Finland, which NordVPN leased, was accessed in March 2018. The hacker was able to exploit an “insecure remote management system” operated by the data centre owner.

NordVPN said that the server did not contain any activity logs and that the company does not store user credentials, meaning they couldn’t possibly be compromised. It added that there were “no signs that any of our customers were affected or that their data was accessed by the malicious actor”.

“This was an isolated case and no other data centre providers we use have been affected,” the company continued.

Nord VPN claimed that it did not disclose the breach immediately because it needed to ensure that none of its infrastructure could be prone to similar issues. “This couldn’t be done quickly due to the huge number of servers and the complexity of our infrastructure.”

The company concluded: “With this incident, we learned important lessons about security, communication and marketing.”

Security concerns

The firm’s disclosure comes hot on the heels of rumours that it had been compromised after number of expired private keys were leaked online.

NordVPN has proven to be a popular VPN service for users hoping to anonymise their internet traffic, with a total of 12m users availing of the service. However, some commentators, such as senior network engineer Kenneth White, have argued that services such as NordVPN that post pre-shared keys online are not secure.

Yesterday, it was reported that Avast antivirus network was hacked in what the company termed a “cyberespionage attempt”. A hacker accessed Avast’s systems through a compromised VPN profile that was accidentally kept enabled, without the need for two-factor authentication.

“Global software companies are increasingly being targeted for disruptive attacks, cyberespionage and even nation-state level sabotage, as evidenced by the many reports of data breaches and supply chain attacks over the last few years,” the company said.

Eva Short was a journalist at Silicon Republic