Virtual Private Network provider NordVPN announced that it was the target of a successful hack last year.
In a statement released on its blog, NordVPN informed users that one of its servers had been compromised in March 2018. The announcement confirmed rumors about the service that had previously been circulating on Twitter. The company placed the blame on a third-party vendor.
“The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of. Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service,” stated the blog.
The administrators of the compromised datacenter, Oy Creanova Hosting Solutions Ltd, have denied responsibility for the breach.
NordVPN has tried to downplay the incident; its announcement of the breach asserted that only between 50 and 200 of its roughly 12 million customers were affected and that no information relating to user activity had been breached.
The company also provided a justification for the apparent year-long delay in announcing the breach:
“Once we found out about the incident, we first terminated our contract with the provider and eliminated the server… Unfortunately, thoroughly reviewing the providers and configurations for over 5,000 servers around the world takes time. As a result, we decided we should not notify the public until we could be sure that such an attack could not be replicated anywhere else on our infrastructure.”