UPDATED with comments from TorGuard.
Leading consumer VPN service provider NordVPN announced today (Oct. 21) that one of its servers had been hacked. But the damage may be worse than NordVPN wants to admit, and rival VPN providers VikingVPN and TorGuard may be affected as well.
In what seems to be a related matter, TorGuard has sued NordVPN, possibly twice. It alleges that NordVPN tried to blackmail TorGuard by threatening to reveal stolen trade secrets, and that NordVPN orchestrated distributed denial-of-service (DDoS) attacks against TorGuard's servers. (TorGuard is not affiliated with the Tor Project that provides anonymous web surfing and hosting, and NordVPN denies the allegations.)
"In early 2018, one isolated datacenter in Finland was accessed without authorization," NordVPN said in a blog posting discussing its own breach. "That was done by exploiting a vulnerability of one of our server providers that hadn't been disclosed to us.
"No user credentials have been intercepted," the NordVPN blog post added. "No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated."
According to various information-security professionals on Twitter, the problem may be far worse. One of NordVPN's private encryption keys was allegedly stolen and shared among many users in the darker corners of the internet. So were private encryption keys from VikingVPN and TorGuard. (NordVPN regularly makes our list of the best VPN services.)
This implies that it might have been possible for anyone to set up their own VPN server, pretend to be NordVPN, TorGuard or VikingVPN and steal user data as it flowed through the server. (In a blog posting, TorGuard said that could not have happened with its stolen private key.) Yet that's exactly what VPN services claim to prevent.
UPDATES: TorGuard disputes that its private key was disclosed in its server breach. We asked TorGuard if it could clarify what the four keys revealed in a text file related to the TorGuard server breach were.
Via Twitter, a TorGuard representative told us that two of the keys were inactive, another was used to identify a server, and the last was a server "individual client key."
"An attacker could do nothing with those keys," the TorGuard representative said.
"What you won't find is TorGuard's main CA [certificate authority] key," the TorGuard Twitter account told us. "We do not store that on VPN endpoints."
Battle of the VPN blogs
NordVPN's blog post said that the company became aware of the server breach "a few months ago," implying that the stolen private key may have been abused for several months. We don't know if anyone actually did exploit it, and the NordVPN blog post implies that the key would have expired in early March 2018.
For its part, TorGuard said in its blog post that due to "secure PKI management," its main certificate authority encryption key was not compromised.
But interestingly, the post hinted that NordVPN itself may have been behind the TorGuard server breach.
"TorGuard first became aware of this disclosure during May of 2019 and in a related development we filed a legal complaint against NordVPN in the Middle District of Florida on June 27, 2019," said the TorGuard post.
An earlier TorGuard blog post said that NordVPN had tried to blackmail TorGuard by threatening to release stolen private information, and that TorGuard in June had filed a lawsuit against NordVPN and a third company. The legal complaint can be read in full here.
For its part, NordVPN said on its own blog in May that it had been "trying to disclose [TorGuard's] own vulnerability to them."
"All of these accusations, and we say this with unwavering confidence, are fabricated," said NordVPN. "We aimed to do the right thing in the right way and to compete honestly without damaging the industry, which is why we were so shocked by the response."
NordVPN said that the lawsuit against it by TorGuard had been dismissed on June 19, but "without prejudice," meaning the lawsuit could be brought again. That seems to be exactly what happened, as the complaint posted by TorGuard is dated June 29.
VikingVPN does not seem to have commented on the allegations that one of its private encryption keys was stolen.
It seems to be no less safe to use NordVPN, TorGuard or VikingVPN as your VPN provider today than it did a week ago. But keep in mind that when you use a consumer VPN provider, you are placing all your trust in that company.
Unintentional tweetstorm reveals nasty truths
The whole problem came to light because of a marketing tweet that NordVPN sent out Friday (Oct. 18).
"Ain't no hacker can steal your online life. (If you use VPN). Stay safe," read the tweet, accompanied by a link to the NordVPN website with the tag line "Get NordVPN. For your own peace of mind". The tweet was later taken down.
VPNs in fact can do little to protect you from identity thieves. The reaction to the tweet from infosec professionals was immediate.
Harshest was @FalconDarkstar, who wrote that "All of these companies, every one, conflates privacy and security in addition to abusing the meaning of 'private' in VPN. It takes gross advantage of unsophisticated users."
But the biggest bomb came from @le_keksec, Twitter account of the Keksec hacking crew, which replied to the NordVPN tweet, "O RLY? This one isn't our work, its just been floating around mostly unnoticed." That was accompanied by a link to a text page that lists private encryption keys to a NordVPN server.
Another Twitter user traced that disclosure to an 8Chan discussion thread from May 2018 (warning: lots of very offensive language). One post in the discussion links to not only a page listing the NordVPN private key, but also to pages displaying private keys for VikingVPN and TorGuard.
Needless to say, this doesn't inspire confidence in many VPN providers.
To its credit, NordVPN took down its marketing tweet two days later, and addressed it in a series of additional tweets.
"Yesterday (sic), our marketing department got ahead of themselves and published an ad on Twitter that triggered the infosec community. The message stated the following: 'Ain't no hacker can steal your online life. (If you use VPN). Stay safe.'
"The infosec community's critique, as always, was swift and precise, pointing out the overstatement. The ad was removed right after it was noticed by our management. We did this not because we hoped to kill the ongoing discussion -- we are well aware of the opposite effect.
"We removed it because the text lacked editorial oversight. For all the messages regarding the expired TLS certificate, we are waiting for our techs to provide all the details. Once done -- we will definitely publish a public statement."
Infosec professionals are already picking apart that public statement, but we'll leave that to them.