NordVPN, TorGuard, and VikingVPN VPN providers disclose security breaches

NordVPN and TorGuard VPN firms were hacked, threat actors leaked the private keys used to secure their web servers and VPN configuration files

Hackers have breached the systems used by NordVPN and TorGuard VPN companies and leaked the private keys used to secure their web servers and VPN configuration files.

The information belonging to the NordVPN company that was leaked online were stolen from the server of the VPN provider last year.

The attackers leaked at least three private keys that belong to the company, one from an older NordVPN site certificate and two OpenVPN keys.

The certificate is expired in October 2018, a circumstance that suggests that the hack happened last year, but we cannot exclude that the server was storing the key of an outdated certificate.

After the keys were leaked online, experts pointed out that attackers could set up rogue VPN servers and use them yo carry out MiTM attack on the users’ traffic.

Experts at remarked that the expired certificate could be used only to carry out a MiTM attack, but it could not have been used to decrypt the traffic.

“You can not decrypt stored VPN traffic directly with the leaked keys. From the configuration files also shown, it shows that the OpenVPN configuration uses a key exchange with Diffie-Hellman, so that the connections have the so-called forward-secrecy property, which prevents subsequent decryption.” reads the post published by “The keys could be used for a man-in-the-middle attack. In addition, it can be assumed that the attacker was able to access traffic during the hack.”

NordVPN confirmed the incident that took place in March 2018 when hackers accessed one of the datacenters in Finland operated by a third-party provider.

“A few months ago, we became aware that, on March 2018, one of the datacenters in Finland we had been renting our servers from was accessed with no authorization.” reads the statement published by the VPN provider. “The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider. We were unaware that such a system existed. The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.”

The company highlighted that the expired TLS key was stored in the breached datacenter in Finland, it couldn’t possibly have been used to decrypt the VPN traffic of any other server. The only possible way to abuse website traffic was by performing a personalized and sophisticated MiTM attack to intercept a single connection that tried to access

After the incident, NordVPN immediately launched an investigation and terminated the contract with the server provider.

The incident also impacted other VPN providers using the same data center, such as VikingVPN and TorGuard.

TorGuard was the only VPN provider of the three impacted by the incident to be implementing secure PKI management this means that its main CA key was not on the affected VPN server.

“The single TorGuard server that was compromised was removed from our network in early 2018 and we have since terminated all business with the related hosting reseller because of repeated suspicious activity.” reads a statement published by TorGuard.

“TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol,” they went on to say.

Pierluigi Paganini, Editor-in-Chief, Cyber Defense Magazine

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.


10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase