29 votes

Hackers steal secret crypto keys for NordVPN. Here’s what we know so far

7 comments

  1. [7]
    Douglas
    Link
    I'm having a hard time understanding how this affects their customers. I understand a key was stolen from a Finnish server, and that the key expired last year (but still had a window between when...

    I'm having a hard time understanding how this affects their customers. I understand a key was stolen from a Finnish server, and that the key expired last year (but still had a window between when it was hacked and when it expired that it was legit), but am not sure how that translates into what may have been compromised/what may have happened to me.

    I don't really use my VPN that much except for when I'm mobile and am connecting to my bank, or pirating the Batman animated series... and Dating Naked, the dumbest reality show ever... and still got a cease & desist from Comcast.

    Does this essentially mean somebody now knows I've watched Dating Naked? Because congrats.

    4 votes
    1. [3]
      moose
      Link Parent
      Well for one they got the TLS key for the NordVPN website meaning that your https connection for that 7(?) month window could've been compromised. Aka anyone with access to your internet...

      Well for one they got the TLS key for the NordVPN website meaning that your https connection for that 7(?) month window could've been compromised. Aka anyone with access to your internet connection from your ISP, government, or someone spoofing your WiFi connection next door or with a public WiFi connection could possibly put up a fake NordVPN website, getting whatever data you enter in there from logins to potentially private keys for proxies. AKA your account could very easily have been pwned without you or Nord ever knowing.

      Secondly the way they got this and 2 other keys I'm not sure what are used for is they had !!!!root access!!!! to a NordVPN server meaning they could have stolen many other, much more vital private keys. At this point it's speculation but it's equivalent to someone being able to break into your house, and in your house you have a bunch of keys because you're a security manager of some sort. Now you might have seen some copies of just 3 keys online, but this tells you someone got into your house and made copy of your keys, meaning they had access to all your keys to make copies. You could see how this could be detrimental if your entire business is based off of security.

      Finally one could argue this wasn't NordVPN's fault. Sure they had no control over the remote management software that was installed on their server, but they found out about the jack, and basically just sat there for 7 months telling no one, and doing virtually nothing about it. The whole thing with a VPN is you have to be able to trust them, because if you can't, then why even bother getting them. That's why some people don't like VPNs to secure there data/connection as it's a single point of trust. Now that it's been shown that they obviously can't be trusted to be transparent or do anything regarding security breaches, how do we know we can trust them to not keep logs of our data? Or to even simply encrypt it without a 3rd party also having access and being able to decrypt it with/without NordVPN knowing?

      12 votes
      1. [2]
        rmgr
        Link Parent
        I was pretty close to buying a NordVPN subscription until this but like you said, how do we know we can trust them not to keep logs? I'm thinking I'll wait until the Black Friday sales and pull...

        I was pretty close to buying a NordVPN subscription until this but like you said, how do we know we can trust them not to keep logs?

        I'm thinking I'll wait until the Black Friday sales and pull the trigger on a ProtonMail/ProtonVPN subscription.

        1 vote
        1. moose
          Link Parent
          Personally I would recommend PIA. Many people have issue that it's based in the US, which I admit would be bad except they are the only VPN to have been shown in court that they don't keep user...

          Personally I would recommend PIA. Many people have issue that it's based in the US, which I admit would be bad except they are the only VPN to have been shown in court that they don't keep user logs. This is of course the #1 thing you want a VPN to do and it's the only one out there that has been proven to do so, which is why I use it. Though here's a great rundown of all VPNs link

          3 votes
    2. [3]
      teaearlgraycold
      Link Parent
      Why do you even use a VPN?

      Does this essentially mean somebody now knows I've watched Dating Naked? Because congrats.

      Why do you even use a VPN?

      1 vote
      1. Douglas
        Link Parent
        Why do anything? It just makes me feel slightly more secure. I think I got mine on a deal/they had like a 3-years-for-the-price-of-one and I just wanted to try it out, and it was after there was a...

        Why do anything?

        It just makes me feel slightly more secure. I think I got mine on a deal/they had like a 3-years-for-the-price-of-one and I just wanted to try it out, and it was after there was a ruling that my ISP can sell my data to third parties, so I was in a kind of "fuck you" mood at the time and thought a VPN would suffice, but it obviously doesn't if they knew me well enough to send the cease & desist.

        8 votes
      2. xstresedg
        Link Parent
        To watch Dating Naked and pirate Batmanimated shows, based on their answer lol EDIT: I'm not trying to be sassy or rude, fyi. I'm just sarcastically reiterating what they said, as it looks like...

        To watch Dating Naked and pirate Batmanimated shows, based on their answer lol

        EDIT: I'm not trying to be sassy or rude, fyi. I'm just sarcastically reiterating what they said, as it looks like they watch shows not local to their country and download things they shouldn't be downloading from a legal perspective.

        5 votes