NordVPN Falls Victim to Credential-Stuffing Attack

· · Link

About 2,000 NordVPN users have fallen victim to credential-stuffing attacks that let third-parties access their accounts.

While it’s likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What’s more, a large number of the email addresses in the list I received weren’t indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN’s attention more than 17 hours earlier.

NordVPN emailed all the publishers that have reported on its hack. In my opinion the company has been trying to downplay it. We’ll see if its recent security measures will improve the service, or if it’s lip service.