Cyber Incident Victim: TorGuard

In March 2018, a hacker breached servers belonging to TorGuard VPN and other providers, including NordVPN and potentially VikingVPN. The attacker gained root access to these systems, stealing private keys associated with expired TLS certificates and OpenVPN configuration files. For TorGuard, the intrusion originated through suspicious activity at a third-party reseller, though the company clarified this access point was unrelated to their core public key infrastructure (PKI) management systems. The stolen TLS certificate private keys, if actively used before expiration, could have enabled attackers to impersonate legitimate VPN websites or conduct man-in-the-middle attacks against users by decrypting traffic. However, TorGuard emphasized their primary Certificate Authority (CA) key remained uncompromised throughout the incident.

The breach became publicly known in October 2019 when security researchers identified leaked private keys online, followed by an 8chan post claiming responsibility for the intrusions. TorGuard confirmed no user data was accessed or exfiltrated during the breach, maintaining that VPN traffic remained secure due to the expiration of the compromised certificates and the integrity of their core encryption systems. The company issued statements distancing the incident from their primary security infrastructure, attributing it solely to reseller-related vulnerabilities. Concurrently, NordVPN's advertising claims of being "unhackable" were retracted following the disclosure, highlighting broader industry challenges in securing VPN infrastructure against determined attackers. The incident underscored persistent risks associated with third-party access points and the critical importance of robust certificate management practices across the VPN sector.