(Bloomberg) -- A virtual private network that markets its “advanced security” said on Monday that one of its services had been compromised last year.
Nord VPN, which is based in Panama, said on the company’s website that it discovered the breach a few months ago at a data center in Finland. The company’s statement comes after allegations on Twitter by security researchers alleging Nord had been hacked.
Tom Okman, a Nord advisory board member, said the hackers only had access to a single “exit node,” the part of the service that masks its customers’ IP address, and not its internal databases. The hackers appeared to have access for about two months, he said. Okman was made available for an interview by the company.
The breach was done by “exploiting a vulnerability of one of our server providers, which hadn’t been disclosed to us,” according to the company’s statement. “No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated.”
Nord VPN has 12 million users worldwide, according to spokeswoman Laura Tyrell, but she said the company estimates only 50 to 200 customers used the breached server. VPN services anonymize internet activity by routing traffic through servers that mask a user’s identity and location.
Okman said it was hard to determine if hackers obtained information on the internet usage of Nord users because the company doesn’t collect logs of activity on its servers, a selling-point to privacy-conscious customers. “I think that the worst case scenario is that they could inspect the traffic and see what kind of websites you could visit,” Okman said. He said this would only apply to Nord users who used its Finnish server and were accessing websites that didn’t use the secure protocol HTTPS.
Okman said Nord was slow to inform its users of the 2018 breach because it wanted to verify that none of its 5,000 different servers had the same issue. That process is still ongoing, he said. “We would rather not disclose this now but due to the concerns of our users we had to do this now,” Okman said. Nord plans to inform its customers of the breach via email.
The announcement touched off a dispute over who was to blame.
Okman said the breach was the fault of Nord’s data center provider, a Finnish company called Oy Creanova Hosting Solutions Ltd., which he accused of having “very bad security practices.” Creanova introduced software that led to hackers gaining access without Nord’s knowledge, Tyrell said.
But Niko Viskari, Creanova’s chief executive officer, blamed Nord for the breach. “They had a problem with security but because they do not take care of security by themselves,” he said, in an email. Nord, he said, was trying “to put this on our shoulders.”
For Nord, security is a key selling point. In a tweet from August, Nord claimed the service would protect its users from hackers. “Hackers would love to grab your sensitive data right out of your screen,” the tweet says. “And they can -- unless you encrypt your traffic with NordVPN.”