If you haven’t seen the news yet, you can read about what happened, and how it happened, here. I want to, however, take a moment to share a couple of things that stick out to me:
- The most obvious thing here is that all of us who use VPN to avoid being snooped on in public places, are kind of at the mercy of the VPN provider. For example, if I connect at Starbucks to the public WiFi, I can either trust that everyone connected to that network is ethical, and that the network has not been hacked to snoop on data being transmitted (nope), assume that all of my traffic would only be through secured connections (maybe, but risky) or I can use a VPN connection to protect my information over that connection. However, I am then trusting the VPN provider to also act ethically and not be snooping on the traffic. This is why you want to use a VPN provider that you have researched, or that is provided by your office, etc. Not the first free one you found on Google.
- In the case of NordVPN, they had earned a good reputation among VPN users, exemplified by the fact that they didn’t even keep logs, to make it even harder to look at what data may have crossed across those VPN connections. But, that lack of logging also creates it’s own issues:
“We are strictly no-logs, so we don’t know exactly how many users had used this server,” NordVPN said. “However, by the evaluation of server loads, this server had around 50-200 active sessions.”
So having no logs actually makes it difficult to know who might have been impacted, and when. There are always trade-offs when it comes to security, this is a prime example. They could have gone the other way, and I’ve seen examples of corporate VPNs and networks that do this, logging everything that crosses their network, and keeping those logs, but then you are responsible for keeping that information safe. If one of those companies was to get hacked, they could probably spot it faster, and tell you every user that may have been connected and impacted, but the hacker could have had access to much, much more data.
NordVPN made what was probably a wise choice for a VPN company.
- The actual hack shows how your data is only as safe as the weakest link in your infrastructure. In this case, it was a rented server from a third-party that had a vulnerability.
The company revealed that an unknown attacker gained access to that server by exploiting “an insecure remote management system left by the datacenter provider while we (the company) was unaware that such a system existed.”
With so much of our data living with third parties, either in cloud storage, or stored with an outside law firm, or a business partner, etc. you are also at the mercy of their security infrastructure. Do you know how good it is? That’s not to say that I think we shouldn’t use third parties, or cloud storage, quite the opposite, in fact, many of those environments may be safer than some business networks I’ve seen and heard about, but we also can’t blindly trust anyone we are partnered with to have taken appropriate steps to protect data.
So, what do we take away from this? The damage seems to have been pretty minimal, which is a good thing. NordVPN is probably going to have to be on the PR treadmill for awhile to gain back the trust of it’s users, and we should all make a few notes about the details of this hack and how they might impact us. Make it a teachable moment.
- Research your VPN provider
- Make informed decisions about security and understand the trade-offs.
- Verify the security posture and practices of third-parties.