Anatomy of a Breach

Anatomy of a Breach: NordVPN — When the Privacy Tool Had a Privacy Problem

> series: anatomy_of_a_breach —— part: 130 —— target: nordvpn —— compromised: tls_private_key —— vector: data_centre_management_interface<span class="cursor-blink">_</span>_

Hedgehog Security 31 October 2019 12 min read
nordvpn vpn data-centre supply-chain tls-key privacy-tool series
Breach #130

The VPN that promises privacy was breached through its data centre.

In October 2019, it was publicly revealed that NordVPN — one of the world's most popular consumer VPN providers with over 12 million users — had been breached in March 2018 through one of its data centre providers in Finland. The data centre provider had installed an insecure remote management system on NordVPN's server without NordVPN's knowledge. An attacker exploited this remote management interface to access the server, obtaining an expired TLS private key and server configuration files.

NordVPN stated that no user credentials, browsing activity, or tunnel data was compromised, and that the expired TLS key could not be used to decrypt VPN traffic. However, the breach raised serious questions about NordVPN's oversight of its data centre providers — the company had not been aware that an insecure management interface existed on its own server. The incident was particularly damaging because NordVPN — like all VPN providers — markets itself as a security and privacy tool. Users trust VPN providers with all their internet traffic; a breach of that trust undermines the product's fundamental value proposition. The breach paralleled the pattern of security tool vendors being compromised: RSA, LastPass, Cloudflare, and Imperva before it.

Data Centre Supply Chain
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Your provider's provider is your attack surface.

Insecure Remote Management
The data centre provider installed a remote management interface on NordVPN's server without NordVPN's knowledge — and the interface was insecure. This demonstrates that supply chain risk extends beyond software vendors to physical infrastructure providers. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> includes assessment of remote management interfaces (IPMI, iDRAC, iLO) that are frequently misconfigured.
NordVPN Did Not Know
NordVPN was unaware that the remote management system existed. This lack of visibility into the security configuration of its own infrastructure — managed by a third party — is a supply chain oversight failure. <a href="/cyber-essentials">Cyber Essentials</a> requires organisations to maintain control of their security configurations, including hosted infrastructure.
TLS Key Exposure
The compromised TLS private key — though expired — raised questions about what an attacker could do with access to VPN server configuration. For organisations deploying TLS certificates on hosted infrastructure, our <a href="/penetration-testing/infrastructure">infrastructure testing</a> verifies certificate management including key storage and rotation.
Sixth Security Vendor Breached in This Series
NordVPN joined RSA, LastPass, Hacking Team, Cloudflare, and Imperva — six security/privacy vendors breached across this series. The pattern is clear: security tools are high-value targets, and their compromise creates supply chain risk for every user. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for the indicators of supply chain compromise regardless of vendor.
Lessons

Trust, but verify — especially your security vendors.

The NordVPN breach reinforced that organisations must verify the security of their infrastructure providers — including data centres, cloud providers, and managed service providers. 'Trust, but verify' applies to every link in the supply chain. Cyber Essentials addresses supply chain security requirements. Our infrastructure testing assesses remote management interfaces, data centre security, and provider configurations. SOC in a Box monitors for supply chain compromise indicators. And UK Cyber Defence provides incident response when supply chain breaches affect your organisation.

Supply Chain Verification

NordVPN didn't know its data centre had installed an insecure management interface. What don't you know about your providers?

Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> checks remote management interfaces. <a href="/cyber-essentials">Cyber Essentials</a> mandates configuration control. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for supply chain compromise.

Commission an Infrastructure Assessment Next: Labour Party DDoS
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 October 2025

Anatomy of a Breach: The Salesforce Ecosystem Breach — 200+ Companies Hit Through a Third-Party Integration

Breach #202. In October-November 2025, a breach of the Salesloft Drift chatbot integration within the Salesforce ecosystem exposed data from over 200 companies — including major corporations across automotive, aviation, security, and fintech sectors. The attackers exploited a vulnerability in the third-party integration to access CRM data including customer records, sales pipelines, support tickets, and internal communications stored in Salesforce instances. The breach has been described as the 'SolarWinds moment for SaaS' — demonstrating that third-party integrations within SaaS platforms create supply chain risk at a scale the industry had not previously confronted.

salesforce salesloft
14 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 31 July 2024

Anatomy of a Breach: CrowdStrike — The Faulty Update That Crashed 8.5 Million Windows Systems Worldwide

Breach #187. On 19 July 2024, a faulty content update to CrowdStrike's Falcon endpoint detection and response (EDR) platform caused approximately 8.5 million Windows systems worldwide to crash with a blue screen of death (BSOD) and enter an unrecoverable boot loop. The outage grounded flights globally, disrupted hospitals, knocked banking systems offline, and paralysed businesses across every sector. While not a cyber attack or data breach, the CrowdStrike outage was the largest IT disruption in history — caused by a security vendor's own update mechanism — and demonstrated the catastrophic fragility of global IT infrastructure's dependence on a handful of security vendors.

crowdstrike global-outage
15 min read
All Posts Get in Touch