One of the most trusted VPN services, NordVPN, has seen the credentials of over 2,000 accounts compromised and published online. We are talking about email addresses and plaintext passwords, made available to anyone who wants to use them. No hacker attacks this time, the responsibility for this mass leak is to be attributed only to the negligence of users in choosing unsafe passwords.
Although the same NordVPN in recent days has confirmed that it was the victim of a hacker attack in 2018, this time the company has no fault. The first to report the news regarding this massive online database of compromised NordVPN accounts were Ars Technica. An anonymous tip revealed a database containing 753 accounts and credentials, all of which were fully functional and valid except one.
This time, however, there is not a handful of malicious hackers: on PasteBin and other platforms you can find lists of working VPN accounts complete with email, password and account validity time. By analyzing the passwords associated with the account name, it is easy to see why so many accounts have been compromised.
The key word here is credential stuffing, a type of attack that exploits information from other cyber attacks. In the last two years, many web services have admitted to having been compromised at some point in the past years. Users are often habitual, and not prone to security: the data obtained from other sources are thus used to find other passwords and services to be used.
Think about how many services you use with your personal email, do you change passwords for each service? Is every password random or is there a logic you always use? Hackers have done nothing but use automated tools and use the data they already had, information gathered from other compromised web services.
As NordVpn States:
Credential stuffing is a cyberattack in which credentials obtained from a data breach on one service are used to attempt to log in to another, unrelated service. The listed credentials have been acquired from previous leaks and breaches that had nothing to do with NordVPN. It is important to understand that these lists dont signal a breach on any of NordVPN servers.
Our security team is proactively scanning such credential lists on both public sites and the dark web, and we are urging our clients to change their passwords. Over the past year, we notified approximately 50,000 customers to change their passwords; however, the password change rate is only around 50%. The database we used to check these credentials is ever-growing and consists of more than 30 billion entries.
2,000 accounts having been matched is an issue, but we have 12M customers in total. We have always been working on preventive means, like rate-limiting, smart detection systems, and, in the future, two-factor authentication (2FA). Additionally, we always advise our clients through our social media channels, blog, and customer newsletters that they must keep their passwords unique and strong.
Many of the passwords of the accounts exposed on NordVPN are in fact very simple or linked to the username in the mail. Sometimes the password is the surname of the victim with numbers at the end, such as the date of birth or age. You will understand that it becomes so easy to puncture the security of the accounts of any service: the fault is certainly not of NordVPN.
How to defend your account and increase security
A website, Have I Been Pwned, keeps track of all the recent password leaks. You can enter your email address and the search will tell you if you are in the database of a compromised service. In case of a positive outcome, begin to change the password of the web service in question.
Another solution could be touse a password managerthat generates totally random passwords for your accounts, whether you use apps or web services.There are several on the web, both free and paid, depending on the level of services we need.
As for safety on NordVPN, we advise you, for the avoidance of doubt, to change the password of your account by choosing a safer and more random one, unrelated to your personal data.