Cyber Incident Victim: NordVPN
Date:
Mar 2018
Location:
Finland
Summary
A hacker breached servers belonging to NordVPN and other VPN providers, exploiting an insecure remote management tool to steal private keys associated with web server certificates and VPN configuration files. The compromised keys, which were later leaked, could have enabled impersonation or man-in-the-middle attacks prior to their expiration, though the company confirmed no user data was accessed and VPN traffic remained secure. The incident highlighted infrastructure vulnerabilities, prompting removal of marketing claims about unhackability, while TorGuard—also affected—attributed its breach to a reseller’s activity and maintained its primary certificate authority key was uncompromised.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2018, an attacker breached servers belonging to NordVPN by exploiting an insecure remote management tool, gaining unauthorized access to systems. The intrusion remained undetected until October 2019, when a security researcher publicly disclosed via Twitter that NordVPN’s private TLS certificate keys had been leaked online. These keys, associated with the company’s website security, had expired prior to the disclosure but could have enabled impersonation attacks or man-in-the-middle (MiTM) decryption of encrypted web traffic if exploited while active. The attacker also stole OpenVPN configuration files and cryptographic keys used for NordVPN’s service infrastructure. Concurrently, servers operated by TorGuard VPN and potentially VikingVPN were compromised through separate vectors, with an 8chan post claiming root-level access to these systems. TorGuard attributed its breach to suspicious activity at a third-party reseller, unrelated to its core public key infrastructure (PKI) management. VikingVPN did not publicly acknowledge or clarify its involvement.
NordVPN confirmed the 2018 breach, stating no user credentials or activity logs were accessed and emphasizing that the stolen TLS certificate had expired before the leak, rendering it unusable for decrypting active VPN traffic. The company asserted that its VPN encryption remained intact, with no evidence of intercepted user data. TorGuard similarly clarified that its primary certificate authority (CA) keys were not compromised during the reseller-related incident. Following the disclosure, NordVPN removed advertising materials claiming the service was “unhackable,” acknowledging the broader reality of infrastructure vulnerabilities. The incident highlighted risks associated with third-party server management tools and PKI exposure, demonstrating that even prominent VPN providers face operational security challenges. No evidence emerged of malicious exploitation of the stolen keys prior to their expiration, though the breach underscored persistent threats to trust mechanisms in encrypted services.