Cyber Incident Victim: VikingVPN
Date:
Oct 2019
Location:
Finland
Summary
A hacker breached servers belonging to multiple VPN providers, including VikingVPN, NordVPN, and TorGuard, stealing private keys associated with expired web server certificates and OpenVPN configuration files. The compromised keys could have enabled impersonation attacks or man-in-the-middle interception of encrypted communications if exploited prior to expiration, though no evidence indicated decrypted VPN traffic or compromised user data. The attackers reportedly gained root access through vulnerabilities such as an insecure remote management tool in one case and suspicious reseller activity in another. The incident underscored broader security risks in VPN infrastructure and certificate management practices, prompting NordVPN to retract advertising claims of being unhackable following the breach disclosure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On or around October 20, 2019, a hacker breached servers belonging to multiple VPN providers, including NordVPN, TorGuard, and potentially VikingVPN. The attacker gained root access to these servers and stole private keys associated with web server certificates and OpenVPN configuration files. For NordVPN, the compromise occurred in 2018 through exploitation of an insecure remote management tool on a rented server in Finland, though the breach wasn't disclosed until 2019 when security researcher @hexdefined identified leaked private keys for NordVPN's expired website certificate. These keys, if used prior to expiration, could have enabled attackers to impersonate NordVPN's website or conduct man-in-the-middle attacks against encrypted communications. TorGuard's breach reportedly originated from suspicious activity at a reseller account unrelated to their primary PKI management systems. VikingVPN was named in an 8chan post alongside NordVPN and TorGuard as having compromised servers, though the company did not respond to media inquiries to confirm or detail the incident.
NordVPN and TorGuard issued public statements clarifying their respective breaches. NordVPN emphasized the stolen TLS certificate had already expired before the leak, asserting no VPN traffic could have been decrypted and no user credentials or activity logs were accessed. TorGuard confirmed their main Certificate Authority key remained secure despite the intrusion. Both companies maintained that user data was not compromised. Following the incident, NordVPN removed advertising materials claiming their service was "unhackable." The breaches collectively highlighted vulnerabilities in VPN infrastructure management, particularly regarding third-party server rentals and reseller access controls. No verifiable information emerged about VikingVPN's response or the scope of its potential involvement beyond the 8chan claim of server access and OpenVPN key theft. The incident underscored risks associated with certificate management and the persistence of attack vectors in VPN ecosystems despite provider assurances.