Publicly leaked keys and configuration files
Earlier this year attackers stole and publicly leaked private keys and configuration files. Both NordVPN and TorGuard issued statements. NordVPN confirmed that it was an isolated case on one Finnish server. They also stated that the server did not contain any logs, user names and passwords were not accessed, and no data could have been decrypted at the time of the attack. TorGuard since emphasized it uses secure PKI management, meaning their main CA key was not on the affected server. Like most other paid services, both NordVPN and TorGuard don’t keep logs of user activity.
Taking security to the next level
One thing we learned over time is that nothing is unhackable, pushing companies to better protect their infrastructure. NordVPN is upping security to earn the trust of the public, the cybersec community and their users. One of its first moves is a long-term strategic partnership with top cybersecurity consulting firm VerSprite. Over the next two weeks it will also introduce a bug bounty program and further set the groundwork for a full scale third party independent security audit. Disk-less servers, a network of collocated servers and higher security standards are also part of its plan to prevent future security incidents.