After noticing a number of misleading headlines about account and password breaches at NordVPN, we’d like to explain what’s really going on. Not only did no password leak or breach occur at our service, our users’ personal data is still secure – as far as our website and service are concerned.
Yes, but not by or from us (we address what we’re doing about it further down).
Media outlets recently reported of a collection of email and password combinations uploaded to the internet by a hacker (this is a common occurrence). A total of about 2,000 email and password combinations were matched to NordVPN accounts out of more than 12 million total users. However, it’s important to understand how the hackers gained those emails and passwords. It wasn’t by hacking any part of NordVPN’s website or service.
Hackers usually prey on easy targets – websites with poor or nonexistent security practices. They hack them to get their hands on a list of user emails and passwords. In addition to being able to hack those users’ accounts on that site, there’s something they can do to increase their returns.
Hackers know that most users don’t bother to set different passwords for different websites. That’s why they automatically check their lists of account logins against tons of popular websites and services. Every match is an additional account they can breach or sell to increase their payoff. Users who use different passwords for different accounts are safe from this approach. Users who reuse passwords are not.
No – at least, not on our service.
If your NordVPN account has been leaked, that means that the email and password you’ve been using for a number of other sites and services is out in the open. If any of those other sites have your sensitive information, then yes, you may be at risk on those sites. However, having someone’s NordVPN user login has limited uses.
Here’s what can be done with another user’s NordVPN login:
Here’s what can’t be done:
If you were affected by this or any other breach, change your password to every site where you used that password immediately.
We’ve been fighting these types of breaches every single day for years, but resolving these issues requires user action as well.
We use rate limiting, which is a standard practice to hinder these types of scans. It limits how often a single IP can attempt to log in, which makes scanning much more complicated, though not impossible.
Our penetration team regularly searches the dark web and regular websites for account dumps, and users report them to us as well. As soon as we find account matches, we notify those users and ask them to change their passwords.
We have notified over 50,000 users that they should change their passwords over the years. Unfortunately, only about 50% of those users responded by changing their passwords. This is not something we can do for them – they have to take that step themselves. If you get a message from NordVPN urging you to change your password, please do so – it’s for your own security.
To see if you have been affected in this or any other breach, visit haveibeenpwned.com.