Hackers have busted into servers of at least three popular VPN services — NordVPN, VikingVPN and TorGuard — over the past couple of years, pilfering cryptographic keys that may have been used to intercept and decrypt highly sensitive user data or bypass browser security features to deploy web-based attacks. In other words, that’s not good, especially if you use one of the three eservices.
Here’s a quick look at what you need to know about the breaches, based of the few details that have been disclosed so far:
Multiple breaches since 2017
Ars Technica published a handy breakdown about the NordVPN, TorGuard, and Viking VPN breaches. It covers how the attacks were carried out and initially discovered, but many important pieces of information — such as how the stolen encryption keys were used or whether any of the services’ users were actually affected — are still unknown.
The most recent attack was directed at NordVPN back in March 2018 — nearly 19 months ago — but is only just now being disclosed. NordVPN says that no usernames or passwords were stored on the attacked server and that no other servers or data centres were targeted.
The company also says one of the three keys stolen in March 2018 became invalid by October 2018, meaning it has been unusable for over a year by now. Still, that specific key could have been used to target and collect individual user data during the months it was active, and none of the statements NordVPN has made to reporters or its users address the other two keys.
Disclosure of the NordVPN server compromise comes just after it was reported that VikingVPN and TorGuard suffered similar breaches back in 2017. Only Torguard has commented so far and says the stolen keys couldn’t have been used to compromise user data and have been disabled for months. Still, the breached server was actively in use until early 2018.
What should you do?
The statements from NordVPN and TorGuard have been questioned by security researchers, who tell Ars Technica that using the stolen keys to collect user data is easier than what these companies would have its users believe.
VPNs are often pitched as privacy tools that help you get around some of the internet’s annoying red tape, but they aren’t just for watching Netflix titles exclusive to other regions or for hiding your browsing data from your ISP so you can torrent the latest episode of your favourite show. Many people who use VPNs are also trying to maintain privacy and anonymity: political activists protecting their identity from dangerous or oppressive governments, journalists and investigators sourcing sensitive information, or even white-hat hackers looking into major security flaws.
A VPN service with lax security protocols — and those that don’t keep its users updated about potential security breaches — puts its users in jeopardy. And these kinds of incidents show that even well-reviewed products that otherwise work as they’re intended can be risky. Until more information becomes available, we suggest current NordVPN, TorGuard and VikingVPN customers (and those shopping for a new VPN) look elsewhere.
The most secure option is to run your own VPN, but that’s a topic for another time; we’ll have a full guide for doing so in near the future. For now, the other option is to look into a new commercial VPN, but that’s easier said than done. There are lots of VPN services out there and most of them aren’t very good.
A lot of them are even straight-up scams. We suggest consulting our guide for finding a trustworthy VPN, while new users will probably want to give our general VPN explainer a look as well. Both articles have tips for vetting potential services and links to other helpful lists and resources.