What NordVPN users need to know about credential stuffing

Were NordVPN users’ passwords leaked?

Yes, but not by or from us (we address what we’re doing about it further down).

Media outlets recently reported of a collection of email and password combinations uploaded to the internet by a hacker (this is a common occurrence). A total of about 2,000 email and password combinations were matched to NordVPN accounts out of more than 12 million total users. However, it’s important to understand how the hackers gained those emails and passwords. It wasn’t by hacking any part of NordVPN’s website or service.

Hackers usually prey on easy targets – websites with poor or nonexistent security practices. They hack them to get their hands on a list of user emails and passwords. In addition to being able to hack those users’ accounts on that site, there’s something they can do to increase their returns.

Hackers know that most users don’t bother to set different passwords for different websites. That’s why they automatically check their lists of account logins against tons of popular websites and services. Every match is an additional account they can breach or sell to increase their payoff. Users who use different passwords for different accounts are safe from this approach. Users who reuse passwords are not.

Are NordVPN users at risk?

No – at least, not on our service.

If your NordVPN account has been leaked, that means that the email and password you’ve been using for a number of other sites and services is out in the open. If any of those other sites have your sensitive information, then yes, you may be at risk on those sites. However, having someone’s NordVPN user login has limited uses.

Here’s what can be done with another user’s NordVPN login:

• Use or disrupt their NordVPN’s services. We allow up to 10 simultaneous connections per account, so the intruder would be able to use NordVPN as well. If they use up that 10-device limit, that may disrupt your service and prevent you from connecting. However, the hacker is more likely to sell access to that account than use it themselves – this is a frequent abuse of leaked passwords by selling a stolen NordVPN account.

Here’s what can’t be done:

• Change their password. Password changes involve responding to a password reset email. Unless the intruder also has access to the user’s email address login, they can’t change their password.
• Monitor their traffic. There is no way to use a NordVPN user account to monitor the traffic on that account.
• Get their data. Our accounts don’t store names or credit card info in a readable format. All the intruder will see is the billing history and email address – which they would’ve already had.

If you were affected by this or any other breach, change your password to every site where you used that password immediately.

What are we doing about it?

We’ve been fighting these types of breaches every single day for years, but resolving these issues requires user action as well.

We use rate limiting, which is a standard practice to hinder these types of scans. It limits how often a single IP can attempt to log in, which makes scanning much more complicated, though not impossible.

Our penetration team regularly searches the dark web and regular websites for account dumps, and users report them to us as well. As soon as we find account matches, we notify those users and ask them to change their passwords.

We have notified over 50,000 users that they should change their passwords over the years. Unfortunately, only about 50% of those users responded by changing their passwords. This is not something we can do for them – they have to take that step themselves. If you get a message from NordVPN urging you to change your password, please do so – it’s for your own security.

If you aren’t yet covered by a VPN, download our VPN app and purchase the subscription that works best for you. Once you launch the app, you’ll be protected by some of the best encryption in the industry.

To see if you have been affected in this or any other breach, visit haveibeenpwned.com.