I’m not going to make any recommendations on VPNs except to say what happened with NordVPN is why you never trust any VPN provider that rents out data center virtual server space, or uses other people’s equipment.
Should be noted TorGuard and VikingVPN are also listed as potentially compromised in the TechCrunch article.
The short version of the story is they appear to have rented a virtual server, or connected a physical server to a remote management console, one of the management servers for the data center had an insecure remote data management system which allowed attackers to compromise and pull private key data from the NordVPN server.
What that effectively means is a government agency could perform a man in the middle attack where you think you’re secure and connected to your VPN, but you’re not.
NordVPN says there’s not much they could have done at that point with what they got, but the acknowledgement of a breach brings about some troubling potential issues.
The first is this happened in March of 2018. 19 months ago if I math right. Now, I’m not particularly all in favor of immediate disclosure while you batten down the hatches, but in that time you could have had a kid, and that kid is now 10 months old and her first words are “no security”.
The second is that NordVPN is not in complete control of the boxes/environment/virtual machine they’re on. That’s troubling. I mean the nature of the internet is such that there’s an element of risk even with the greatest cryptography in the world, but when the box you’re trusting is accessible via means you don’t control … that’s not good.
Do they know that their equipment isn’t physically being accessed by third parties?
NordVPN says they were unaware of the data center’s software, that’s even worse. If I’m putting a VPN in a remote location and asking people to pay and trust me I’m going to that data center with my own equipment that plugs into the internet and a keyboard, 3 IP cameras pointed at it, and a monitor I bring. That VPN goes off line for any reason it will stay offline as I’ll assume a state agent has compromised it.
This was connected via some sort of shared resource. Some form of equipment or software that a company focused on security didn’t know about, and it took them 18 months to come clean about it.
Was any user data compromised? They claim no, although they probably have no way that I know to determine that the attacker didn’t pull connection information to match up IP addresses with times of political posts to sell to anti-democracy forces to use to go and round up suspected dissidents.
I mean if they’re renting server space NordVPN might have not been logging connection information but who’s to say that the data center wasn’t?