Your IP: Unknown · Your Status: Unprotected Protected

What NordVPN users need to know about credential stuffing

Nov 07, 2019 · 3 min read

What NordVPN users need to know about credential stuffing

After noticing a number of misleading headlines about account and password breaches at NordVPN, we’d like to explain what’s really going on. Not only did no password leak or breach occur at our service, our users’ personal data is still secure – as far as our website and service are concerned.

Were NordVPN users’ passwords leaked?

Yes, but not by or from us (we address what we’re doing about it further down).

Media outlets recently reported of a collection of email and password combinations uploaded to the internet by a hacker (this is a common occurrence). A total of about 2,000 email and password combinations were matched to NordVPN accounts out of more than 12 million total users. However, it’s important to understand how the hackers gained those emails and passwords. It wasn’t by hacking any part of NordVPN’s website or service.

Hackers usually prey on easy targets – websites with poor or nonexistent security practices. They hack them to get their hands on a list of user emails and passwords. In addition to being able to hack those users’ accounts on that site, there’s something they can do to increase their returns.

Hackers know that most users don’t bother to set different passwords for different websites. That’s why they automatically check their lists of account logins against tons of popular websites and services. Every match is an additional account they can breach or sell to increase their payoff. Users who use different passwords for different accounts are safe from this approach. Users who reuse passwords are not.An unsecure user reuses their passwords and exposes themselves to a breachA secure user uses unique passwords, protecting themselves from breaches

Are NordVPN users at risk?

No – at least, not on our service.

If your NordVPN account has been leaked, that means that the email and password you’ve been using for a number of other sites and services is out in the open. If any of those other sites have your sensitive information, then yes, you may be at risk on those sites. However, having someone’s NordVPN user login has limited uses.

Here’s what can be done with another user’s NordVPN login:

  • Use or disrupt their NordVPN’s services. We allow up to 6 simultaneous connections per account, so the intruder would be able to use NordVPN as well. If they use up that 6-device limit, that may disrupt your service and prevent you from connecting. However, the hacker is more likely to sell access to that account than use it themselves – this is a frequent abuse of leaked passwords that we’ve written about here.

Here’s what can’t be done:

  • Spend the user’s money. We don’t store credit card information on our accounts. Users have to re-enter it every time they want to pay for our services. The intruder can’t order more NordVPN services and can’t spend any of the user’s money elsewhere by logging in to their NordVPN account. Under certain circumstances, if the user ordered recurring payments online, the intruder might be able to cancel the next recurring payment.
  • Change their password. Password changes involve responding to a password reset email. Unless the intruder also has access to the user’s email address login, they can’t change their password.
  • Monitor their traffic. There is no way to use a NordVPN user account to monitor the traffic on that account.
  • Get their data. Our accounts don’t store names or credit card info in a readable format. All the intruder will see is the billing history and email address – which they would’ve already had.

If you were affected by this or any other breach, change your password to every site where you used that password immediately.

What are we doing about it?

We’ve been fighting these types of breaches every single day for years, but resolving these issues requires user action as well.

We use rate limiting, which is a standard practice to hinder these types of scans. It limits how often a single IP can attempt to log in, which makes scanning much more complicated, though not impossible.

Our penetration team regularly searches the dark web and regular websites for account dumps, and users report them to us as well. As soon as we find account matches, we notify those users and ask them to change their passwords.

We have notified over 50,000 users that they should change their passwords over the years. Unfortunately, only about 50% of those users responded by changing their passwords. This is not something we can do for them – they have to take that step themselves. If you get a message from NordVPN urging you to change your password, please do so – it’s for your own security.

To see if you have been affected in this or any other breach, visit haveibeenpwned.com.


Daniel Markuson
Daniel Markuson successVerified author

Daniel is a digital privacy enthusiast and an internet security expert. As the blog editor at NordVPN, Daniel is generous with spreading news, stories, and tips through the power of a well-written word.


Subscribe to NordVPN blog