In brief: The vulnerability wasn't immediately disclosed because NordVPN needed to make sure none of their other servers were prone to similar issues. This "couldn't be done quickly due to the huge amount of servers and the complexity of our infrastructure," we're told.
Virtual private network service provider NordVPN on Monday said it has learned of a security issue involving a datacenter partner.
As the timeline goes, the single affected server was built and added to NordVPN's server list in Finland on January 31, 2019. At some point, an attacker gained access to the server via an insecure remote management system left behind by the datacenter. "We were unaware that such a system existed," said NordVPN blog editor Daniel Markuson.
The datacenter reportedly noticed the vulnerability and deleted the remote management account without notifying NordVPN on March 20, 2018.
Markuson said the VPN provider learned of the vulnerability "a few months back" and promptly terminated all contracts with the company. They also launched an internal audit to check their entire infrastructure, conducted an application security audit and started a process to move all of their servers to RAM.
Markuson said the expired TLS key taken when the server was exploited couldn't have been used to decrypt the VPN traffic of any other server. "On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM (man-in-the-middle) attack to intercept a single connection that tried to access nordvpn.com."
Furthermore, NordVPN said that no user credentials were taken and that the server did not contain any user activity logs.
NordVPN said it is now holding their datacenter partners to "even higher standards" and is working on a bug bounty program.
Masthead credit: NordVPN app by Sharaf Maksumov