Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Privacy Technology

NordVPN Users' Passwords Exposed In Mass Credential-Stuffing Attacks (arstechnica.com) 13

Last week, NordVPN disclosed a server hack that leaked crypto keys. While the scope of the breach is still being determined, Ars Technica's Dan Goodin reports that NordVPN users' passwords were exposed and at least one site still features user credentials, which include email addresses, plain-text passwords, and expiration dates associated with the accounts. An anonymous Slashdot reader shares an excerpt from his report: I received a list of 753 credentials on Thursday and polled a small sample of users. The passwords listed for all but one were still in use. The one user who had changed their password did so after receiving an unrequested password reset email. It would appear someone who gained unauthorized access was trying to take over the account. Several other people said their accounts had been accessed by unauthorized people. Over the past week, breach notification service Have I Been Pwned has reported at least 10 lists of NordVPN credentials similar to the one I obtained. While it's likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What's more, a large number of the email addresses in the list I received weren't indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN's attention more than 17 hours earlier.

Without exception, all of the plain-text passwords are weak. In some cases, they're the string of characters to the left of the @ sign in the email address. In other cases, they're words found in most dictionaries. Others appear to be surnames, sometimes with two or three numbers tacked onto the end. These common traits mean that the most likely way these passwords became public is through credential stuffing. That's the term for attacks that take credentials divulged in one leak to break into other accounts that use the same username and password. Attackers typically use automated scripts to carry out these attacks.

This discussion has been archived. No new comments can be posted.

NordVPN Users' Passwords Exposed In Mass Credential-Stuffing Attacks

Comments Filter:
  • The hits just keep on coming for NordVPN!

    I'm waiting for similar reporting about Squarespace or Skillshare, since they are also huge shill sponsors.

    • by DavenH ( 1065780 )
      Do they? This is equivalent to attackers trying to login with "admin/password" and a dumb user having taken it, getting their account compromised. NordVPN is responsible for not filtering for passwords harder & not related to names within the email, but that's far from getting hacked.
  • Just love all those Nord VPN sponsored YouTube channels. Fuck Nord
    • Honestly, people put too much trust in VPN providers. Do they not think that they keep records of their customers, like payments, schedules, etc.?
      • by Strill ( 6019874 )

        Mullvad doesn't. They literally identify you only through a random number, and encourage you to pay in bitcoin.

        • by Anonymous Coward

          Mullvad wants users to install software instead of just setting a proxy in their OS. That's reason enough to not use it.

  • by RandomUsername99 ( 574692 ) on Friday November 01, 2019 @05:41PM (#59371126)

    Being a security product— even being an entry-level one— I'd expect a paid personal VPN's user-base to have a higher ratio of good to bad passwords. That assumption could be wholely off-base, but especially since they mentioned consistent patterns like using the entire string to the left of the @ sign, it does make me wonder if these specific accounts are being used for sort of automated system rather than being human accounts with such poor credentials.

    • > I'd expect a paid personal VPN's user-base to have a higher ratio of good to bad passwords. That assumption could be wholely off-base

      Security professionals have crappy habits with their own passwords, so I wouldn't expect people using VPNs to he better.

      Partly having ideal password habits is hard / inconvenient. My colleagues tell people "use a different password for every site", then issue them logins to ten different systems. Yeah, sure you're going to remember 25 unique passwords. It would be grea

  • How entertaining to see the negative correlation of YT channel subscriber numbers and the credibility of their makers in action.

    It's like with TV advertisements: If you see product X advertised on TV, you already know it is overpriced and probably meant to be sold to gullible people.
  • From TFA:

    "It’s hard to understand why NordVPN, a company that’s in the business of providing security to users, is allowing so many of its users to fall victim to these attacks."

    Actually, is quite easy to understand. Implementing meassures against these types of attcks, or doing security audits so that servers aren't hacked like what happened 11 days ago costs money, money that management tought was better spent paying influencers on youtube, banner adds on the net, and all sorts of publicity el

  • Well, at least we know it is “military grade”. :’)

You know you've landed gear-up when it takes full power to taxi.

Working...