Last week, it has been found that 1 NordVPN server was accessed by an unauthorized third party. The hacker managed to access a single server located in Finland because of mistakes made by the data center owner, of which NordVPN was not aware — the company said in a statement.
NordVPN users were not affected, as the server did not contain any user activity logs, usernames, or passwords. The VPN service as a whole was not hacked, the code was not hacked, the VPN tunnel was not breached, and the NordVPN apps stayed unaffected. In other words, no user has noticed a disruption of the service nor any individual user has been affected.
However, that doesn’t mean NordVPN won’t do a thing about this incident. Quite the contrary, the company entered into a long-term strategic partnership with VerSprite, which happens to be one of the leading cybersecurity consulting firms. Said partnership will include threat and vulnerability management, penetration testing, compliance management and assessment services. VerSprite will also help to form an independent cybersecurity advisory committee, which will consist of selected experts and oversee NordVPN’s security practices.
“We are planning to use not only our own knowledge, but to also take advice from the best cybersecurity experts and implement the best cybersecurity practices there are,” Laura Tyrell, Head of Public Relations at NordVPN, said in a statement. “And this is the first of many steps we are going to take in order to bring the security of our service to a whole new level.”
Specifically, here’s what NordVPN plans to do to ensure even better security of its service:
1. Partnership with VerSprite
As mentioned above, VerSprite will help NordVPN with penetration testing, prodding the infrastructure for weaknesses and mitigate the vulnerabilities. This won’t be a one-time job, but a long-term partnership that will see VerSprite continually testing the limits of servers in NordVPN’s network.
The main tasks covered in the agreement include comprehensive penetration testing, intrusion handling, and source code analysis. VerSprite will also help to form an independent cybersecurity advisory committee.
2. Bug bounty
Over the next few weeks, NordVPN is going to introduce a bug bounty program that will reward cybersecurity experts for catching potential vulnerabilities and reporting to the developers so they can fix them. Bounty hunters will get a well-earned payout, and NordVPN users will get a service they know is scoured for bugs by thousands of people every day to make it as secure as possible.
3. Infrastructure security audit
NordVPN is planning to complete a full-scale third-party independent security audit next year. The audit will cover the infrastructure hardware, VPN software, backend architecture, backend source code, and internal procedures. The chosen vendor for the security audit will be announced in the future.
4. Vendor security assessment and higher security standards
NordVPN is also planning to build a network of collocated servers, which will be wholly owned exclusively by NordVPN. The company is currently finishing its infrastructure review so that they can eliminate any exploitable vulnerabilities left by third-party server providers. NordVPN is committed to ensuring that their exclusively owned data centers maintain the highest security standards.
5. Diskless servers
Finally, NordVPN aims to upgrade its entire infrastructure, which currently includes over 5100 servers, to RAM servers. This will allow the company to create a centrally controlled network where nothing is stored locally — not even an operating system. Everything the servers need to run will be provided by NordVPN’s secure central infrastructure. If anyone seizes one of these servers, they’ll find an empty piece of hardware with no data or configuration files on it.
“The changes we’ve outlined will make you significantly safer every time you use our service. Every part of NordVPN will become faster, stronger, and more secure – from our infrastructure and code to our teams and our partners,” added Laura Tyrell. “That’s our promise — we owe it to you.”
Our take: way to go NordVPN!!! All this work because of something that is essentially a non-issue. We can only hope that other VPNs will be reading from NordVPN’s playbook.
Pros
Cons
- 5,000+ servers in the network
- Easy to use - install it and forget it
- One license is good for up to 6 devices
- Strict zero-logs policy
- 30-day money-back guarantee
- Chrome extension is just a proxy