NordVPN admits it was hacked, saying that in March 2018 one of its data centers was accessed by a third party (via TechCrunch).
The company had exposed some expired private keys which means that anyone could set up a server with those keys and pretend to be NordVPN. But it’s not just NordVPN; other companies like TorGuard and VikingVPN were also compromised. Some OpenVPN keys were leaked as well.
The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.
Aside from the above VPN providers we currently don’t know if others were affected as well.
NordVPN disagrees with the word “hacked” and sent me a statement:
I would like to stress out that our service has not been hacked. None of the information available on the one server can be used to impersonate or decrypt the traffic of any other. This was an isolated case of one datacenter in Finland. It did not impact thousands of other servers in any way, it is virtually impossible to do that.
They also have an official blog post about the situation.