NordVPN, one of the most popular and widely used VPN services out there, yesterday disclosed details of a security incident that apparently compromised one of its thousands of servers based in Finland.

Earlier this week, a security researcher on Twitter disclosed that "NordVPN was compromised at some point," alleging that unknown attackers stole private encryption keys used to protect VPN users traffic routed through the compromised server.

In response to this, NordVPN published a blog post detailing about the security incident, and here we have summarized the whole incident for our readers to let you quickly understand what exactly happened, what's at stake, and what you should do next.

Some of the information mentioned below also contains information The Hacker News obtained via an email interview with NordVPN.

What has been compromised? — NordVPN has thousands of servers across the world hosted with third-party data centers. One such server hosted with a Finland-based datacenter was unauthorizedly accessed on March 2018.

How did it happen? — The company revealed that an unknown attacker gained access to that server by exploiting "an insecure remote management system left by the datacenter provider while we (the company) was unaware that such a system existed."

What has been stolen? — Since NordVPN does not log activities of its users, the compromised server "did not contain any user activity logs; none of the applications send user-created credentials for authentication, so usernames/passwords couldn't have been intercepted either."

However, the company did confirm that the attackers successfully managed to steal a TLS encryption key responsible for protecting VPN users' traffic routed through the compromised server.
Though NordVPN tried to downplay the security incident in its blog post by quoting the stolen encryption key as "expired," when The Hacker News approached the company, it did admit that the key was valid at the time of the breach and expired only after NordVPN discovered the incident just a few months ago.

What might attackers have achieved? — Almost every website today use HTTPS to protect its users' network traffic, and VPNs basically just add an extra layer of authentication and encryption to your existing network traffic by tunneling it through a large number of its servers (exit nodes), restricting even your ISPs from monitoring your online activities.

Now with one encryption key in hand, attackers might have decrypted that extra layer of protection coated over the traffic passed through the compromised server, which, however, can not be still used to decrypt or compromise users' HTTPS encrypted traffic.

"Even if the hacker could have viewed the traffic while being connected to the server, he could see only what an ordinary ISP would see, but in no way, it could be personalized or linked to a particular user. And if they do it not through this server, they would do it using MiTM," the NordVPN spokesperson told The Hacker News.

"On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com," the company said in its blog post.

In other words, the attack possibly allowed attackers to only capture users' unencrypted data exchanged with non-HTTPS websites, if any, or DNS lookups for some users, and also defeated the purpose of using a VPN service.

"We are strictly no-logs, so we don't know exactly how many users had used this server," NordVPN said. "However, by the evaluation of server loads, this server had around 50-200 active sessions."

To be noted, "the (stolen encryption) key couldn't possibly have been used to decrypt the VPN traffic of any other (NordVPN) server," the company confirmed.

How NordVPN addressed the security breach? — After discovering the incident a few months ago, the company "immediately terminated the contract with the server provider" and shredded all the servers NordVPN had been renting from them.

NordVPN also immediately launched a thorough internal audit of its servers to check its entire infrastructure, and double-checked that "no other server could possibly be exploited this way."

The company said next year, it will also "launch an independent external audit all of our infrastructure to make sure we did not miss anything else."

The company also admitted that it "failed" to ensure the security of its customers by contracting an unreliable server provider, and that it is "taking all the necessary means to enhance our security."