The VPN provider NordVPN apparently had an incident some time ago in which an attacker had access to the servers and private keys. Three private keys appeared on the network, one of which belonged to an expired HTTPS certificate.
Several cryptographic keys and information about NordVPN configuration files have appeared in a leak. One of the keys matches an older NordVPN website certificate.
The leak appeared in an online discussion. In a meanwhile deleted tweet NordVPN wrote: “Nobody can steal your online life (if you use a VPN)”. In response, someone sent a link to a text file containing evidence of a VPN provider hack.
This is apparently a console log file. An attacker had access to a server of NordVPN. It shows various configuration files of the OpenVPN software as well as certificates and three private RSA keys. Two of the keys belong to the OpenVPN configuration, one belongs to a website certificate.
I was able to check and confirm that the key actually belongs to the certificate. It concerns thus at least with this part no falsification. The certificate is a wildcard certificate for the NordVPN domain, but it is no longer up-to-date. It expired in October 2018. This could indicate that the hack happened some time ago, but of course it would also be conceivable that the attacker stole the key of an outdated certificate.
Stored VPN data traffic can probably not be decrypted directly with the leaked keys. The configuration files also shown show that the OpenVPN configuration uses a key exchange with Diffie-Hellman, so the connections have the so-called forward-secrecy property, which prevents subsequent decryption. However, the keys could be used for a man-in-the-middle attack. It can also be assumed, of course, that the attacker was able to access data traffic during the hack.
NordVPN has only briefly commented on the incident so far. NordVPN’s Twitter account says they are waiting for the company’s technicians to check the details. We didn’t find a hint on the website yet and my request remained unanswered.
As usual, adjust your OPSEC if you have ever used them, assume emails and TXIDs will be leaked.