Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security IT Technology

Popular VPN Service NordVPN Says it Was Hacked 44

NordVPN, a virtual private network provider that promises to "protect your privacy online," has confirmed it was hacked. From a report: The admission comes following rumors that the company had been breached. It first emerged that NordVPN had an expired internal private keys exposed, potentially allowing anyone to spin out their own servers imitating NordVPN. For its part, NordVPN has claimed a "zero logs" policy. "We don't track, collect, or share your private data," the company says. But the breach is likely to cause alarm that hackers may have been in a position to access some user data. NordVPN told TechCrunch that one of its datacenters was accessed in March 2018. "One of the datacenters in Finland we are renting our servers from was accessed with no authorization," said NordVPN spokesperson Laura Tyrell. The attacker gained access to the server -- which had been active for about a month -- by exploiting an insecure remote management system left by the datacenter provider, which NordVPN said it was unaware that such a system existed.
This discussion has been archived. No new comments can be posted.

Popular VPN Service NordVPN Says it Was Hacked

Comments Filter:
  • Now hear this... (Score:5, Insightful)

    by BringsApples ( 3418089 ) on Monday October 21, 2019 @09:53AM (#59330712)

    by exploiting an insecure remote management system left by the datacenter provider, which NordVPN said it was unaware that such a system existed.

    This is the main problem with "everything cloud". It's literally someone else's box. And that person, company or corporation may just have it's own agenda. Data's the new money.

    • This is the main problem with "everything cloud". It's literally someone else's box. And that person, company or corporation may just have it's own agenda.

      At least Tor is designed in a way where you don't need to trust any individual "someone". Any box along the chain could be actually malicious, as long the *same* malicious actor doesn't "simultaneously" control *all* of the node of your circuit, they won't de-anonymise you easily.

      Versus VPN where it is only as secure and anonymous as the "someone else" who is in charge with the "box".

      I've never understood why people are all into VPNs instead of Tor. Perhaps the percieved ease of setting up ?

      • The problem with Tor is it's now assumed that most people using it are probably criminals. Which is why I think any well-meaning person running a Tor endpoint in this day and age is begging for trouble.

      • by rho ( 6063 )

        VPNs have been hard sold as a privacy and anonymity tool by companies trying to make a buck.

        Attention everybody: VPNs do not protect your privacy or anonymity because that is not their purpose. VPNs are a way to provide a secure link over the Internet and nothing more. The "no-log" VPNs basically admit this. The implicit assumption in advertising a "no-log" VPN for privacy and anonymity means that if they did logging, your privacy and anonymity will be compromised.

        I have no idea why this dumb idea has gotte

      • TOR was designed for those in oppressive governments. It was to give those people a way to reach out to the rest of the world and let them know what's happening, and a way for those to get info to help themselves. The reason so many people don't just jump on the TOR network is because it's terribly slow.

      • I've never understood why people are all into VPNs instead of Tor. Perhaps the percieved ease of setting up ?

        For downloading music and movies, which is what most people use personal VPNs for, it's adequate to keep you from getting nastygrams from the MPAA/RIAA shakedown racket or your ISP. They can also be useful for getting around geoblocking.

        Tor is not really designed for the bandwidth requirements of bittorrent or streaming, and for security the Tor folks themselves recommend against it as well.

        https://blog.torproject.org/bi... [torproject.org]

        • For downloading music and movies, which is what most people use personal VPNs for, it's adequate to keep you from getting nastygrams from the MPAA/RIAA shakedown racket or your ISP.

          ...as long as you trust your VPN to not log for real.
          A VPN is just one gag-order/hack/whatever away from leaking your data.
          Yes, I know VPN companies try to get incorporated in places with lower probability, but the chances aren't absolute zero.
          A VPN companie is still a single point of failure.

          They can also be useful for getting around geoblocking.

          Tor too, traffic always looks like coming from the exit node.
          There's even a convenient option to specify *which* country you would like to use exit nodes from.

          There are countless other methods: SSH-proxying, for exampl

          • ...as long as you trust your VPN to not log for real.

            A VPN is just one gag-order/hack/whatever away from leaking your data.

            Nothing is risk free, a VPN is simply added protection. The likelihood of the MPAA getting anything usable in court is tiny, and experience bears this out. For more high risk activities obviously the bar is much higher.

            A VPN companie is still a single point of failure.

            So is your ISP. Whether you trust a VPN provider more or less than your ISP is a personal decision.

            There's even a convenient option to specify *which* country you would like to use exit nodes from.

            If you don't have the bandwidth to stream, that is of limited utility.

            Don't get me wrong, I like and use Tor, and I also recommend multi layered security. I just don't think it is the first

      • I've never understood why people are all into VPNs instead of Tor. Perhaps the percieved ease of setting up ?

        Speed. Try streaming an HD video movie over Tor.

      • I've never understood why people are all into VPNs instead of Tor

        Tor is painfully slow.

  • VPN's are NOT safe (Score:5, Insightful)

    by DogDude ( 805747 ) on Monday October 21, 2019 @09:54AM (#59330716)
    I don't know why so many people suddenly think that VPN's are some kind of safety measure. All a VPN accomplishes is piping all of your data through a central point, that you hope you can trust. It's also one (large) additional place where your data can be scooped up (as per this example). I would never use a VPN that I didn't explicitly own.
    • by Kiuas ( 1084567 ) on Monday October 21, 2019 @10:09AM (#59330746)

      I don't know why so many people suddenly think that VPN's are some kind of safety measure.

      Because that's the nr. 1 thing they highlight in their marketing. NordVPN especially has been pushing ads and sponsoring channels on Youtube really heavily for the past year, and their ad on Youtube I've seen several times begins with 'Someone's watching, now they're not... NordVPN secures your connection with military grade encryption...' and so on and so forth. Some of the collaborations I've seen them do with Youtube-channels specifically make mention of data leaks and so on. Literally the first thing you see if you google NordVpn is 'NordVPN - Protect your online privacy', followed by 'Make sure there's only one person watching your online activities: you.'

      There are only 2 main reasons why people buy these services:

      1. Being able to watch geolocked content on streaming sites (probably the most common reason)
      2. "Safety/privacy"

      • by l0ungeb0y ( 442022 ) on Monday October 21, 2019 @11:46AM (#59331122) Homepage Journal
        I use Nord because they provide Static IPs upon request (and at an additional cost) Others such as Express do not offer a static IP option This is handy because I travel extensively and many services I engage with are IP restricted Access to geolocked content on streaming services while out of the country is nice too though
    • by ceoyoyo ( 59147 )

      You know your ISP is logging you. You pay your VPN provider not to log you. That doesn't mean they don't, but it is safer than the not using one at all. Of course it's not as safe as using your own VPN (provided you're competent), but using your own does come with the potentially awkward side effect that you can't say you've got zillions of clients and no logs to say which one did the bad thing.

      • by DogDude ( 805747 )
        You do know you need to use your ISP to get to your VPN, right...? How is 1. going through your ISP, then 2. another location less safe then 1. going through your ISP, 2. then another random computer 3. then to other locations?
        • Because the only traffic your ISP sees is traffic to the VPN, which is encrypted. The ISP can't see anything inside the encrypted tunnel, just as they can't sniff out and record your credit card when you buy something online over SSL.
          They only know you're "talking" to the VPN node, but what you're "saying" and where you're going from there is hidden.

          • by DogDude ( 805747 )
            Well, wouldn't you be connecting to somewhere that's encrypted, anyway, so all of your traffic through your ISP would also be encrypted? Why would anybody use an encrypted connection to a VPN, and then an unencrypted connection from there? The VPN would have all of your traffic, along with whatever bad guys are surveilling the VPN.
            • Not everything through your ISP is encrypted. In particular, even if your final data layer is fully encrypted, the layers below that are necessarily still going to expose who you're talking to and other metadata. If you're visiting a few social networks and buying stuff on Amazon, that's probably no big deal. If you're visiting the support site for a certain medical condition, or a site all about growing cannabis and that's illegal in your country, or sites associated with certain political parties/views, o

            • by ceoyoyo ( 59147 ) on Monday October 21, 2019 @11:59AM (#59331172)

              The VPN obscures what you're connected to.

              Suppose you're in the habit of visiting furryerotica.com, but would rather that information not be up for public auction. Your ISP and the furries are almost certainly tracking your visit and selling the information to the highest bidder. If you impose a VPN in the middle, the ISP sees you visiting the VPN, and the furries see you coming from the VPN, but there's this black hole in the middle.

              If the VPN is selling your data then you're not really any further behind. If they're not, then you're ahead. Since they have a direct financial incentive not to sell your data, unlike most ISPs and free-for-use web sites, they might possibly be less likely to do so.

              • by DogDude ( 805747 )
                If the VPN is selling your data then you're not really any further behind. If they're not, then you're ahead.

                Right. But A. I would imagine that you really have no way of knowing if a VPN is selling your data. Unless I'm explicitly signing a contract that says otherwise, I'd assume that my data is being sold. And B. wouldn't VPN's be goldmines for people wanting to steal data or blackmail people, or whatever shitty thing they can think to do?

                I think that trying to bypass your ISP for a VPN that yo
                • by ceoyoyo ( 59147 )

                  Sure. From NordVPN's terms of service:

                  NordVPN guarantees a strict no-logs policy for NordVPN Services, meaning that the NordVPN Service is provided by an automated process, and your activities while using it are not monitored, recorded, logged, stored or passed to any third party.

                  They guarantee that not only do they not sell your data, they don't collect it in the first place. You should absolutely not trust a VPN that doesn't guarantee that.

                  Your ISP, on the other hand, semi-regulated or not, absolutely log

      • by guruevi ( 827432 )

        Not just your ISP, but anyone that you connect to can see your 'home' IP. Depending on where you live, this can narrow your location down to a few hundred people (in a city) to a few dozen people (in the country) and with a bit of sleuthing, anyone could likely get your home address just from your IP, especially someone with resources.

        With a VPN service, all the website sees is a random IP from a random location (depending on how you configured the setup). It's interesting to note that your bank tracks your

    • by fazig ( 2909523 )
      Yes I wonder why. So why don't we pay NordVPN's website a visit?

      Imagine VPN as a hack-proof, encrypted tunnel for online traffic to flow. Nobody can see through the tunnel and get their hands on your internet data. NordVPN gives you peace of mind each time you use public Wi-Fi, access personal and work accounts on the road, or want to keep your browsing history to yourself.

      Source: https://nordvpn.com/ [nordvpn.com]
      That is how they advertise and sell their product/service. If you click on "See All Features" you'll find

    • by AmiMoJo ( 196126 )

      You can't trust your ISP either, so using a VPN you can't trust is no worse. At least your connection's IP address is hidden and it's harder for advertisers to track you that way.

      I wonder if this is an issue with Intel Management Engine? Sounds kinda like it from the description.

    • For some, a public VPN is a great way to simply hide in plain sight. Sure, websites can still collect telemetry data to uniquely identify you, but you've made it much more difficult for your ISP, their interconnects, a network admin of a public WiFi hotspot, etc. to track you since the data coming out of the VPN's end tunnel is too noisy to be useful for anything other than a simple page counter. Granted, that's not how they're advertised and for us competent in the arts, we know the only "secure" way a VPN

    • Frankly I don't care if my VPN is watching the traffic I route through them. What I care about is that the MPAA/RIAA and my ISP aren't.

      This serves to prevent my ISP from shaping my traffic or throttling/blocking things they dislike, and makes sure I don't get hit with a 5 billion dollar lawsuit for downloading a 10 dollar movie.

      It also makes switching my external IP address because of geoblocking bullshit far simpler.

      Anything that needs proper security I'll do through a combination of TOR, TAILS, wardriving

    • They're not a safety measure. They're a privacy measure so that you can't get tracked by IP address by places like google and forum moderators.

    • VPNs would be one part of a comprehensive privacy system, and it's all relative. Would I rather have my data flowing through an ISP that I can't really choose or a trustworthy VPN that I can switch? If I'm traveling, or using public wifi, then I'm probably better off piping my data through a VPN than doing without. Would I trust that the VPN completely resolved my privacy concerns? Nope.

    • A VPN that you own?

      How can anyone create a VPN that they own? Do you run a remote server from which you can emerge onto the internet, a server that is not paid for by you and cannot be traced back to you?

      Just in case the answer is "yes," how would you expect everyone else to do this? Not to mention that if you have only one exit point to choose from, it would be pretty easy to track you. VPN or no, the ISP (and everyone else) can see what IP your traffic goes to (your VPN server). That can be traced, ge

    • > All a VPN accomplishes is piping all of your data through a central point, that you hope you can trust.

      Or, in many users' cases all they care about is piping that data to a central point in a whole other legal jurisdiction with some hazy level of hassle for someone in the users' jurisdictions to correlate. Generally speaking it's not about making your actions 100% hidden, it's about making your actions 100x harder to sort out than the guy using Bittorrent on his own cable modem, as the MPAA/RIAA/whoe

    • I thought that one big usage model was getting access to geo-restricted content. For example, making Netflix think you are in the USA.

      NordVPN say that their service is not intended to bypass copyright restrictions, but most of these VPN services move their outbound IP address around whenever they get blocked by Netflix.

    • by G00F ( 241765 )

      I trust a good no logging VPN who's soles existence is not not log over say Comcast or Google.

      A no logging VPN provider doesn't secure you, and by itself doesn't make you anonymous, but if say you setup the VPN, created a logging w/ some website with topics that can get you into legal trouble(or embarrassing) and never cross the accounts, you are hidden enough.

      But we all know most have it for torrenting(you'd think vpn providers would have inter changes with each other for this) However I'm sure many also u

  • by damn_registrars ( 1103043 ) <damn.registrars@gmail.com> on Monday October 21, 2019 @09:56AM (#59330728) Homepage Journal
    How many others are seeing the NordVPN banner ads while this article is front page? (yeah, I could use ABP but I sometimes turn it off for specific situations)
    • by ceoyoyo ( 59147 )

      All publicity is good publicity!

      That tells you how detached from reality marketing is.

  • Has anyone read the article and their statement they posted online? https://nordvpn.com/blog/offic... [nordvpn.com] Article seems so much faaaaar from anything that could happen and written only for clicks
  • Comment removed based on user account deletion
  • Attempt to access this Slashdot story had

    "Internal Server Error

    The server encountered an internal error or misconfiguration and was unable to complete your request.

    Please contact the server administrator at admin@slashdot.org to inform them of the time this error occurred, and the actions you performed just before this error.

    More information about this error may be available in the server error log."

    And then when I was able to I couldn't post.... till now.

    BTW, as this is true, its also supposed to be humor

  • OK, now we know where the Equifax IT crowd went.
  • Techcrunch did it again. Their so called “Experts” (which are anonymous, ofc) have made it sound like the world is about to end, even tho in reality no actual damage to users has been done. Journalism shouldnt be about distorting facts or, more importantly, being biased, which leads me to another thing - TC is owned by owned by Verizon and Verizon owns their own VPN service. See the connection? https://www.techdirt.com/artic... [techdirt.com]

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...