NordVPN Users' Passwords Compromised and Exposed on Online Forums

On October 21, NordVPN admitted that hackers had accessed a server that was used by the VPN provider. Less than two weeks later, on Friday, it became apparent that the usernames and passwords of NordVPN users have been leaked on public online forums and sharing platforms like Pastebin. Not surprisingly, people want to know if there's a connection between the two incidents.

The breach that was reported in October actually took place in March 2018. NordVPN was quick to point out that it happened because the Finnish data center that operated the compromised server made a mistake. The blog post also pointed out that the hackers didn't get access to any personal data and that there's no evidence to suggest that any traffic was monitored. In other words, the login credentials that Ars Technica's Dan Goodin first talked about on November 1 weren't leaked during March 2018's attack on NordVPN. Where did they come from, then?

Hackers launch a credential stuffing attack on NordVPN users

The usernames and passwords were exposed after a credential stuffing attack. In other words, they were stolen from another online service that has nothing to do with NordVPN. Having stolen the login data, the hackers tried the username and password combinations on NordVPN, and because people had reused the same credentials on multiple websites, some of the passwords successfully unlocked users' virtual private network accounts. More worryingly, most of the passwords that give access to people's VPNs still seem to be active.

Dan Goodin received a list of 753 email address and plaintext password pairs, and after contacting a sample of the affected users, he concluded that all but one of the combinations were valid. The only person who had updated their password did so after getting notified that someone had accessed their account.

Sadly, the batch Goodin received and analyzed is far from the only one. He said that Troy Hunt had added no fewer than ten similar lists to the Have I Been Pwned breach notification service in a matter of a week. Although some of the accounts appear multiple times, Dan Goodin estimated that at least 2 thousand NordVPN users could be affected by the credential stuffing incident. Compared to other breaches, this number doesn't seem particularly huge, but the nature of a virtual private network account means that the consequences of compromising one could be fairly devastating. So, who is to blame?

Everyone needs to be more aware of the dangers of credential stuffing

As always, saying who's responsible for a cybersecurity incident is more complex than it appears at first.

You obviously have the online services that lost the credentials in the first place. They deserve criticism not only because they failed to protect people's login data, but also because they didn't store the passwords correctly, which is evident by the fact that the credentials are now circulating in plain text.

NordVPN isn't merely a victim, either. As Dan Goodin pointed out, this is supposed to be an online service that provides people with additional security, yet the company that charges money for it didn't put sufficient rate limiting mechanisms in place that would have stopped the cybercriminals. In a better-late-than-never move, NordVPN told Ars Technica that it will now work on this problem and will also develop a two-factor authentication system that should make hackers' lives harder.

At least some of the blame should go to the users as well, though. For years, cybersecurity experts have been using real-world examples to teach people how important password complexity is, but the credentials Dan Goodin looked at showed pretty definitively that the message hasn't gone across. Ars Technica's reporter said that all of the passwords he looked at were weak. Some of them were identical to the first part of the email address they were paired with, others were the users' surnames with a couple of digits attached to them, and others still were dictionary words that can be guessed fairly easily.

The password strength (or lack thereof) isn't even the biggest problem. The concept of credential stuffing relies on people using identical username and password combinations for multiple websites. Despite the large number of similar incidents we have seen over the past few years, users continue to use the same passwords for many different online services, and they then rely on these services to adequately protect their login data. This clearly isn't the best strategy in this day and age.

For a while now, there have been password management solutions like the Cyclonis Password Manager that can help people avoid making the same mistakes over and over again, but for various different reasons, the adoption rates are nowhere near as high as they should be.

The truth is, even if you opt not to use a password manager, you should be aware of the dangers that credential stuffing attacks pose, and you must make sure that your defenses are sufficient enough.