NordVPN Encryption Keys Stolen

Ebernanut

[H]ard|Gawd
Joined
Dec 15, 2010
Messages
1,908
Article

"Breach happened 19 months ago. Popular VPN is only disclosing it now.

Hackers breached a server used by popular virtual network provider NordVPN and stole encryption keys that could be used to mount decryption attacks on segments of its customer base."

"The revelations came as evidence surfaced suggesting that two rival VPN services, TorGuard and VikingVPN, also experienced breaches the leaked encryption keys."


Personal comment: It might just be someone screwing around but that's an interesting enough target to make me wonder who it was what their goal is. I know all three are some of the VPN services that have been mentioned around here before.
 
I'll be honest, I never understood the appeal of paying to use someone's VPN - I don't trust NordVPN (or any other commercial VPN, not picking on them specifically) any more than I do any website I visit. I just use the internet in a way that I wouldn't mind if every single keystroke I make were put on billboards outside my house. Certainly cheaper, and I won't get upset when the next breach is announced.
 
I'll be honest, I never understood the appeal of paying to use someone's VPN - I don't trust NordVPN (or any other commercial VPN, not picking on them specifically) any more than I do any website I visit. I just use the internet in a way that I wouldn't mind if every single keystroke I make were put on billboards outside my house. Certainly cheaper, and I won't get upset when the next breach is announced.

So how do you get your kink porn then? 8mm?

But seriously, VPNs are useful for more than just obfuscating your tracks on the web. It's a necessity if you wanted to use an open WiFi Hotspot (and even then I don't recommend that). I do take your point about paying for someone else's service - but in my case... I have crap ISP at home, if I tried to VPN through my ISP it would be abysmal everywhere.
 
There is no such thing as privacy on the internet.
Exactly. It doesn't matter who keeps record of your browsing history, your isp or a vpn provider, but someone does either way.

I only use VPN to get around geoblocks. But companies are fighting back. It's time someone made a fake telephone number service to go with vpn because some providers started implementing phone checks to see if you're really in the country your IP suggests.
 
There is no such thing as privacy on the internet.
Yeup. You can just make it harder. Everything is nsa or ccp poz'd at the exchange via fibre sniffing and if you escape that and are causing problems then hardware level exploits required by crypto export laws and 'national security aka fuck you' will get you.
 
  • Like
Reactions: dgz
like this
I think its important not to underestimate how much privacy can be gained - you'll never have total complete privacy/security and like many things in computing its a diminishing returns system. However, that means that some of the relatively easy/convenient steps you can take to add privacy, even things like using Firefox w/ privacy related add-ons and blockers, encrypting your files locally, using an encrypted email provider, switching from SMS to Signal and/or Matrix for encrypted messaging etc., can offer a lot of benefits. Things like VPN, Tor, using as much Free/Libre open source software (FLOSS) as possible etc.. also can contribute to this, along with seeking out alternatives to major company services (ie if you don't wish/ can't break with social media entirely, switch to using Fediverse compatible services et), that are decentralized and/or distributed.

When it comes to VPNs, its amazing how many of them are absolute crap, but there are a handful of not-totally-terrible ones that many suggest and I saw NordVPN on that list. Now I personally have never used them because a company calling itself "NordVPN" and being based in Panama is a red flag when it comes to trust; there were other offerings without that kind of concern. One of the most important and least prevalent VPN features is the ability to connect only to VPN servers directly under the company's control - no middlemen, no 3rd party colocation or virtualization etc - which can minimize the attack vectors. It does no good to have an "honestly no logging, fully encrypted etc" VPN service if someone can walk into a data center used for one of their nodes and get them to log, compromise, etc. As far as I'm aware, Mullvad, ProtonVPN, and CryptoStorm all offer this feature, along with other elements such as the WireGuard protocol as well as OpenVPN. This will at least minimize the chance of issues happening like the one that allowed this breach.

VPNs can be a piece of the puzzle but nobody should expect them to either solve a problem they're not designed for, nor act as a be-all-end-all. Regardless, looking for the better VPN options (ie start with the requirements listed on privacytools.io - and note that thatoneprivacysite actually hacked and its VPN ratings changed, so be wary!) is a good place to start.
 
I'll be honest, I never understood the appeal of paying to use someone's VPN - I don't trust NordVPN (or any other commercial VPN, not picking on them specifically) any more than I do any website I visit. I just use the internet in a way that I wouldn't mind if every single keystroke I make were put on billboards outside my house. Certainly cheaper, and I won't get upset when the next breach is announced.

If you ever have the opportunity to get targeted (which isn't hard nowadays) - you will learn to love VPN. It's not foolproof, obviously - but it makes things really hard for most hackers.

The breach was on unknown 3rd party software installed on the datacenter host system. I'm sure they didn't want o release any news before it was all cleaned up - but yeah concerning.
 
I posited this to my goto security guy on the web, here's his edited response.
  • Not disclosing the breach immediately when discovered. There is zero shame in admitting it, informing your customers about it, and making multiple updates as your investigation progresses. Yes, there is going to be a subset of people who will scream bloody murder but it shows a willingness to be open and transparent which will maintain trust and brand confidence.


  • Using misleading statements. For example, NordVPN states that they "rented a server". What they actually did is spin up a virtual private server or VPS. If you legitimately rent a full blown server, you have root access to the entire box and can know, exactly, what is running on that box. When using a VPS, you only get access to your slice and the backend is a black box.


  • Using preshared and long lasting certificates/keys. Kenn White did a good job explaining why this is not a sound practice and what complications can arise from doing so. Any decent VPN provider, even one you set up at home, should be generating unique certificates/keys per visitor per connection so MtM attacks are largely improbable.


  • In a response on his GitHub page, Kenn White stated "I'm aware of only one service that has undergone independent 3rd party security review (still in progress)." Here he is talking about ProtonVPN
  • To add to the problem of not physically owning all their servers, I don't see any statement on NordVPN's website that states what they do to secure the servers themselves. That leads me to believe that they, NordVPN, don't actually own a ton of hardware and reinforces my belief that they use VPSes nearly exclusively which are inherently less secure. In doing so, they left themselves open to the problem that occurred. This is directly their fault.

  • Because of this breach, they will need to go through and audit every single VPS they rent to truly certify that they're running a clean VPN.That is expensive, time consuming, and labor intensive. In their press release, they have stated they have done so. However, without root access to each hypervisor they run a VPS on top of, how did they accomplish this? This going back to their lack of transparency.
I am going to recommend the VPN I use which is being audited by a third party, is headquartered and operated out of a country with the strongest privacy laws in the world, and has zero issues with being transparent...ProtonVPN.

BoP from bluesnews
 
I'll be honest, I never understood the appeal of paying to use someone's VPN - I don't trust NordVPN (or any other commercial VPN, not picking on them specifically) any more than I do any website I visit. I just use the internet in a way that I wouldn't mind if every single keystroke I make were put on billboards outside my house. Certainly cheaper, and I won't get upset when the next breach is announced.

That's a horrible mindset, for one you don't even need a VPN to do some simple changes to protect yourself. For example, set up Secure DNS in Firefox, encrypted SNI, use a DNS server that implements DNSSEC. Turn off NetBIOS/LLMNR. Disable SMB 1.0. None of that requires VPN.

It's not about your keystrokes any saved or cached password could be leaked or easily intercepted
 
VPNs are important, especially if you travel. You'd be a fool to login to your bank on a coffee shop public wifi or even the connection at an airbnb rental.

Or if you wish to access video streaming in another country, I did this when I was on a trip to Japan where US services are blocked. Or if you develop websites and want to test different servers.

Lots of legitimate uses for VPNs, on top of wanting more privacy sometimes.
 
Last edited:
VPNs are important, especially if you travel. You'd be a fool to login to your bank on an coffee shop public wifi or even the connection at an airbnb rental.

Or if you wish to access video streaming in another country, I did this when I was on a trip to Japan where US services are blocked. Or if you develop websites and want to test different servers.

Lots of legitimate uses for VPNs, on top of wanting more privacy sometimes.
No real reason to use a 3rd party vpn. vms/vps are practically free & you can spin one up anywhere you need one & shut if off when done. You can then do SSH/Socks tunnel for privacy. Done.
 
you cant decrypt even saved data with just the encryption keys. everyone now uses some diffie hellman eliptical curve whatever hot variant and the keys are generated PER SESSION and are gone forever they arent stored anywhere even if you had them tying them to an IP let alone a person its getting into 0.00000000000000001 chances here.
 
I'll be honest, I never understood the appeal of paying to use someone's VPN - I don't trust NordVPN (or any other commercial VPN, not picking on them specifically) any more than I do any website I visit. I just use the internet in a way that I wouldn't mind if every single keystroke I make were put on billboards outside my house. Certainly cheaper, and I won't get upset when the next breach is announced.

man this is naive and dumb
 
If you ever have the opportunity to get targeted (which isn't hard nowadays) - you will learn to love VPN. It's not foolproof, obviously - but it makes things really hard for most hackers.

The breach was on unknown 3rd party software installed on the datacenter host system. I'm sure they didn't want o release any news before it was all cleaned up - but yeah concerning.
I had ALL of my accounts compromised on thanksgiving day ~10 years ago. Bank accounts in overdraft, credit cards all maxed out, and a bunch of fraudulent ebay listings for high-end mac hardware on my ebay account. Because of that I now use MFA on any account I care about (yubikey or google authenticator - SMS barely counts as far as I'm concerned.) The only real hassle was dealing with banks - which is why I no longer have a debit card associated with any of my checking accounts. I just don't see how a VPN is going to protect my accounts any more than a 30 character password and MFA.

man this is naive and dumb
man this is pointless and dumb
 
Last edited:
I just don't see how a VPN is going to protect my accounts any more than a 30 character password and MFA.

I just use the internet in a way that I wouldn't mind if every single keystroke I make were put on billboards outside my house. Certainly cheaper, and I won't get upset when the next breach is announced.

come on just one more comment and you can strike out in this thread completely
 
come on just one more comment and you can strike out in this thread completely
Come on, one more unsubstantiated and pointless comment and you can strike out in this thread completely.

I know I shouldn't feed trolls, but shouting "you're wrong/naive/dumb" isn't offering an argument, it's just annoying. All you need to do to make it a weak ass argument is claim some form of authority - maybe you're an internet expert with qualifications that I lack and that's why my opinion is naive/dumb? It's a stupid way to argue a point, but at least you'd have a point. Much better would be to explain how I'm being dumb and naive - sort of like this explanation of why you're barely even hitting the level of troll.
 
Come on, one more unsubstantiated and pointless comment and you can strike out in this thread completely.

I know I shouldn't feed trolls, but shouting "you're wrong/naive/dumb" isn't offering an argument, it's just annoying. All you need to do to make it a weak ass argument is claim some form of authority - maybe you're an internet expert with qualifications that I lack and that's why my opinion is naive/dumb? It's a stupid way to argue a point, but at least you'd have a point. Much better would be to explain how I'm being dumb and naive - sort of like this explanation of why you're barely even hitting the level of troll.
Ignore him. We all see the same thing you do.
 
Forget the academic privacy debates. Not disclosing this breach for 19 months tells me everything I need to know about NordVPN.
I switched to their service a few months ago from PIA, because of increased security (based out of US), however their service is SLOW! I frequently connect to IPs where I get no connection. Not sure if my ISP is blocking those servers or what, but I never had problems with PIA.
 
That's a horrible mindset, for one you don't even need a VPN to do some simple changes to protect yourself. For example, set up Secure DNS in Firefox, encrypted SNI, use a DNS server that implements DNSSEC. Turn off NetBIOS/LLMNR. Disable SMB 1.0. None of that requires VPN.

It's not about your keystrokes any saved or cached password could be leaked or easily intercepted
Just noticed this comment - I'm not sure where you disagree with me, you're agreeing that a 3rd party VPN is really only useful if you trust the 3rd party to keep your traffic private... right? That's essentially my position - that I expect my ISP to sell every scrap of info they collect on me to the highest bidder, and I'm not concerned enough about it (and don't use public wifi or need to get around geoblocking) to find 3rd party VPNs worth spending any money on.

Where did I state that I'm using my ISP's default DNS? (Side note: I'm actually using a pihole and opendns with google's dns as the secondary in case the pihole or opendns are having issues.) And again, I'm not using my local coffee shop's wifi (or my neighbor's, or anyone else's for that matter,) I've already set the DNS of my choice, and I'm pretty comfortable setting group policies in windows.

Bottom line: I don't buy the whole "paying for a 3rd party VPN is a privacy panacea" bullshit, and so far no one has posted anything to convince me otherwise.
 
Many use VPNs to get around geo restrictions, like getting access to more content on Netflix, activating product keys for games etc.
Yeah, even Youtube is region locked on content. I'm into Japanese rock and most officially posted Japanese music is region locked on youtube, nowadays. It wasn't that way, 10 years ago. Thanks Google.
 
Yeah, even Youtube is region locked on content. I'm into Japanese rock and most officially posted Japanese music is region locked on youtube, nowadays. It wasn't that way, 10 years ago. Thanks Google.

to be fair you can't blame google for that. blame europe, and the entertainment industry for that crap. same reason why netflix is forced to only allow certain shows/movies in specific regions.
 
I use PIA to get around geolocking. I've never had a single issue with them and the Linux client is fantastic.

I swear this isn't the first time I've heard of issues with NordVPN?
 
Come on, one more unsubstantiated and pointless comment and you can strike out in this thread completely.

I know I shouldn't feed trolls, but shouting "you're wrong/naive/dumb" isn't offering an argument, it's just annoying. All you need to do to make it a weak ass argument is claim some form of authority - maybe you're an internet expert with qualifications that I lack and that's why my opinion is naive/dumb? It's a stupid way to argue a point, but at least you'd have a point. Much better would be to explain how I'm being dumb and naive - sort of like this explanation of why you're barely even hitting the level of troll.

it plain to see, in one comment you state that you dont value your own privacy("my keystrokes on billboard"???), then you continued to share how you got yourself hacked and got into a mess with your bank. so why should anything you say be taken seriously past that? you have bad opinions that even contradict themselves between comments. we dont even need to touch the technical aspect of vpns.
 
Everyone here is aware that a VPN doesn't do anything at the level of the site you are going to correct? If you go to your bank's site and the bank gets compromised your data is still going to be stole right? if somebody hacks this site, your username and password will still be stolen even if you use a VPN. You can still get malware, viruses and phishing emails on VPN. Everyone is aware of this correct?
 
Everyone here is aware that a VPN doesn't do anything at the level of the site you are going to correct? If you go to your bank's site and the bank gets compromised your data is still going to be stole right? if somebody hacks this site, your username and password will still be stolen even if you use a VPN. You can still get malware, viruses and phishing emails on VPN. Everyone is aware of this correct?
What gave you the idea that we weren't aware.
It's like taking PrEP to prevent hiv, if you're having unsafe sex there are still several other sexually transmitted diseases waiting to be transmitted.
 
Everyone here is aware that a VPN doesn't do anything at the level of the site you are going to correct? If you go to your bank's site and the bank gets compromised your data is still going to be stole right? if somebody hacks this site, your username and password will still be stolen even if you use a VPN. You can still get malware, viruses and phishing emails on VPN. Everyone is aware of this correct?

thank you for sharing this, me and my grandma are very thankful.
 
People pay for a VPN?
Don't know if the free one I use changes your location or not so I guess that's one reasons to pay.
 
this is all great (the vigorous back and forth) but i mean we are all using vpns to pirate all our shows and movies, ive been with pia for like 10 years. also use it all the time at the airport because it adds a nice additional layer of encryption. i been also piratings and seeding movies in the 1st month they are released. NEVER had any problems or a single letter. i think your personal experience is good enough(or as good as it gets) for this particular issue.

unless i am missing something and you all eat CHEESE PIZZA hence the sensitive, quivering tone of the thread.
 
Actual question, would self hosting a VPN be worthwhile via some VPS? And what would the benefits be?
 
it plain to see, in one comment you state that you dont value your own privacy("my keystrokes on billboard"???), then you continued to share how you got yourself hacked and got into a mess with your bank. so why should anything you say be taken seriously past that? you have bad opinions that even contradict themselves between comments. we dont even need to touch the technical aspect of vpns.
Maybe you're just too stupid to figure shit out? I mean on the one hand I get that you can't fix a sub-par IQ, but still I want to tell you to educate yourself. Either way you're "ignored" as far as this forum goes so respond or don't - I'm done feeding this troll.
 
Back
Top