According to the VPN provider, one of their servers was accessed by an unauthorized user, who took advantage of a security vulnerability in remote management software left on the server by the hosting provider.
This just goes to show that even if the stuff you install on your server is secure and audited, the stuff that it comes with can’t be trusted. This is the main argument for the minimum necessary packages aspect of hardening.
NordVPN claims that no user credentials were obtained, nor were any logs. (they reiterated that they do not keep logs)
NordVPN claims it found out about the breach “a few months ago” but didn’t disclose it until they were all systems were secure.
Bummer
I use Nordvpn, though I havent connected to any of their servers in Finland.
But It’s kinda alarming that they don’t check if the data center has any remote management on the servers they rent, when they set them up.
How does it matter that they tell us in a timely manner? Obviously there’s going to be user flight when it comes out, but it’s not like you can actually do anything about what’s already happened.
The important thing is to actually take steps to ensure you’re not alerting the general public that your systems are currently insecure in a specific manner. if they released this before the systems were patched, it’d have been way worse. Open season on the servers.
Totally agree, but it shouldn’t take them months to fix the problem. In this case it reads like they wouldn’t have disclosed at all, but rumors were going around to force their hand. Whether that’s true is immaterial, the optics are bad.
If you take an unreasonably long time to disclose it looks like you’re trying to cover up. That’s a much bigger problem than getting hacked in the first place which again, happens to everybody.
Ain’t it funny how a company which touts privacy all night long won’t disclose their own breach? Sure does instill trust in me, and they definitely aren’t lying about anything else. /s
5ish months, and since then they have encouraged others to either have OOBM fixed or replaced? seems okay to me.
Like bug reporting, disclose when others are fixed, else everyone else gets spanked straight away?