"The only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com," the company wrote in a blog post.
The incident took place in March 2018, when an unauthorized person accessed a server NordVPN rented from a third-party data center in Finland. They exploited an "insecure remote management system" that the data center provider left in place. NordVPN wasn't aware that such a system existed.
The affected server was added to NordVPN's server list on January 31st that year. The provider detected the vulnerability and removed the remote management account on March 20th without informing NordVPN.
The company learned of the incident a few months ago and right away ended its contract with the data center provider and scrubbed all the data it had on the rented servers. It didn't disclose the breach immediately because it had to audit the rest of its infrastructure to ensure similar issues wouldn't occur elsewhere. It also "accelerated the encryption of all of our servers." That took some time because of its complex infrastructure and the more than 3,000 servers it uses.
The issue didn't affect any of NordVPN's other servers or data centers. It says it will require providers it works with to meet higher security standards. It's also moving all of its servers to RAM, a process that should be completed next year.
While the breach doesn't seem to have had a significant impact on user privacy, it's not a great look for a company that touts itself as offering "secure and private access to the internet." As such, NordVPN is doubling down on security. "We have undergone an application security audit, are working on a second no-logs audit right now, and are preparing a bug bounty program," it wrote in the post. "[Next] year we will launch an independent external audit all of our infrastructure to make sure we did not miss anything else."