The so called ultra secure VPN service is yet again under pressure, as revealed on arstechnica that around 2000 Nord VPN users has been compromised and fallen victim to credential stuffing attacks, which enable unauthorized access to their accounts.
As the news goes, Credentials have been circulating on Pastebin and other online forums for NordVPN users in recent weeks. It includes email addresses, plain-text passwords and NordVPN User Accounts expiry dates.
Dan Goodin claims that, on Thursday, he got a list of 753 credentials and tested a few. Out of all one seemed to be compromised, somebody who gained an unauthorized permission was trying to take over the account. Apart from this Goodin claims that several other people have also said that unauthorized people had access to their accounts.
Over the past week, the breach notification service Have I Been Pwned has reported at least 10 lists of NordVPN credentials similar to those Goodin have received.
While some accounts are likely to be listed in multiple lists, the number of user accounts is up to 2,000 easily. Moreover, Have I Been Pwned did not index a large number of the email addresses in the list Goodin received, indicating that some compromised credentials are still leaking to the public. Most of the web pages hosting these credentials were downloaded, but at the time this post was going live, at least one remained on Pastebin, despite the fact that it was brought to NordVPN’s attention by Ars 17 hours earlier.
All plain-text passwords, without exception, are weak. In some cases, in the email address, they are the string of characters on the left of the @ sign. They are words found in most dictionaries in other cases. Others seem to be surnames, sometimes tackled to the end by two or three numbers. These common features mean that credential stuffing is the most likely way these passwords became public. This is the term used to use the same username and password for attacks that take credentials disclosed in one leak to break into other accounts. Attackers typically perform these attacks using automated scripts.
We believe NordVPN should take other steps to prevent malicious parties from logging in with the badly selected passwords of users. Chief among them would be rate limiting and algorithms detecting and blocking unauthorized logins. It is difficult to understand why NordVPN, a company that provides security for users, also marked as the so called ultra secure VPN by commercial journalists allows many of its users to become victims of these attacks.
We also recommend all NordVPN users should go to Have I Been Pwned and see if they have their email address in any of the lists. If that is the case, they should change their passwords immediately. It is too difficult to keep track of the scores of strong passwords, for most people, but password managers are coming in.