Thousands of NordVPN user passwords leaked online

5 Nov 2019

Image: © Tierney/

NordVPN user credentials have appeared online just weeks after the company revealed it had been breached, though there is no evidence the two events are connected.

The misfortunes of popular VPN server NordVPN continue. Just weeks after the company revealed it was breached in March 2018, thousands of users have now fallen victim to credential-stuffing attacks that allow unauthorised users to access their accounts.

Credentials for NordVPN users, including email addresses, plaintext passwords and expiration dates, have been circulated on online forums such as Pastebin.

Dan Goodin of Ars Technica reported that he had received a list of around 753 credentials on Thursday (31 October), most of which were still in use by NordVPN customers at time of their reporting. Breach notification website Have I Been Pwned, meanwhile, reported 10 other lists of this nature.

While there is nothing to suggest that the appearance of these credentials constitutes a breach, or that it was related in any way to the breached crypto keys circulating after the March 2018 event, some commentators have criticised NordVPN for not being as proactive in scanning message boards for leaked passwords.

Password security

Many of the leaked passwords were found to be very weak, falling well behind the threshold of what experts would consider to be sufficiently robust passwords.

This has led some to conclude that the unauthorised access was the result of ‘credential-stuffing’, a method of attack that involves hackers using credentials from one leak to access other accounts with the same username and passwords. This method of attack relies upon the fact that many users will recycle the same passwords across many accounts.

“The credentials that were used to get access to NordVPN accounts were stolen from previous leaks and breaches and hacks that have nothing to do with NordVPN,” a representative from the firm explained.

“It could be data that was breached this year from such companies like Canva, Evite, 500px, or even it can be a result of some older breaches like LinkedIn, Dropbox or MyHeritage.”

Despite stern warnings from cybersecurity experts, some of the most common passwords are still ones that are extremely vulnerable to being hacked.

Eva Short was a journalist at Silicon Republic