By 
VPN providers TorGuard and NordVPN have answered reports that their systems have been violated, with both accusing a third-party service provider for the incident.
Cyberthieves have trickled private RSA keys and information on configuration files that were pinched from a NordVPN server last year.
As many as three private keys seem to have been pinched from the server, and the data was leaked online in response to a NordVPN Twitter message that stated, “Ain’t no hacker can steal your online life. (If you use VPN). Stay safe,” which the company has already taken down, claiming it lacked editorial oversight.
“The infosec community’s critique, as always, was swift and precise, pointing out the overstatement. The ad was removed right after it was noticed by our management. We did this not because we hoped to kill the ongoing discussion – we are well aware of the opposite effect,” the company said in a tweet.
Immediately after the keys were posted online, the first examination results arose, with some suggesting that the site key could have been used to carry out man-in-the-middle (MiTM) attacks by establishing fake servers.
Others highlighted that, although a MiTM was likely using the key that belongs to the now old and retired TLS certificate, it could not have been used to decode stored VPN traffic.
NordVPN, in its official response, established that hackers accessed one of their servers and stole the TLS key, but said they could only use it to perform “a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.”
“[T]he key couldn’t possibly have been used to decrypt the VPN traffic of any other server,” the VPN service provider says.
“The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed,” the company says.
NordVPN also explicates that they only learned about the occurrence many months ago and that they instantly conducted an investigation and ended the contract with the server provider, not before shredding all servers rented from them.
The company says they already checked their entire infrastructure to ensure no other server could have been abused in the same way, and that they also hastened the encryption of all their servers.
“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” NordVPN says.
