How we got sued by TorGuard for trying to disclose their own vulnerability to them
It all started when we received information that led us to finding a TorGuard server configuration file lying in the open on the internet.
The file revealed how the TorGuard service was configured, displayed private keys, and contained a bunch of other infrastructural IP addresses, including the IPs of their authentication servers and similar assets. Because the file could have been part of some outdated legacy system, we decided to verify whether it was actually an issue by trying to access some of the IPs through a regular browser.
To our surprise, we saw that one of the servers was left completely unprotected. Anyone could have accessed it by simply entering the server’s IP into the address field of their browser. The server contained a number of scripts and other sensitive information. In the wrong hands, this information could have easily been misused, possibly causing major damage to TorGuard and their customers.
We reached out to TorGuard’s CTO, Keith Murray, who immediately added TorGuard’s CEO, Benjamin Van Pelt, to the conversation. For security reasons, we suggested communicating over an end-to-end encrypted messaging platform, and both gentlemen immediately agreed. We then told them what we had found.
We provided the IP of the affected server without asking for anything in return so that TorGuard could patch up their vulnerability. This is despite the fact that we could have publicly published our findings as security research, and despite the fact that we have a strong basis to believe that TorGuard has been running a year-long baseless defamation campaign against our company. We hoped that after providing this vital assistance towards securing TorGuard’s infrastructure, they would also cease with their illegal defamation campaign. We informed them of our desire to set aside past differences and also of our right to take legal action if they persisted in attacking us.
We are still having trouble wrapping our heads around what happened next. On Monday, May 27th, we received information about a lawsuit filed against us by a law firm called Losey PLLC. TorGuard was accusing us and (probably by mistake) some unrelated Canadian web design company of plotting against them, hacking their servers, launching a DDoS attack against them on Black Friday, and physically intimidating someone – and this is a heavily abridged version.
All of these accusations, and we say this with unwavering confidence, are fabricated. We can’t understand their reasoning for doing so, and we’re not sure whether this unprovoked attack was launched because TorGuard are afraid we might disclose their vulnerabilities publicly. We never planned to do so, hoping that they would patch things up as soon as we had informed them.
We aimed to do the right thing in the right way and to compete honestly without damaging the industry, which is why we were so shocked by the response. We will immediately move to dismiss TorGuard’s libelous lawsuit, but as long as we’re on the topic: filing false and malicious lawsuits and publishing false and misleading information is against the law. Therefore, we are filing a suit of our own on the grounds of defamation and libel.
UPDATE June 21st: On June 19th, the US District Court in Orlando decided to dismiss the case against NordVPN. The dismissal was issued on the grounds that TorGuard failed to prove that they fall within the jurisdiction of the court in question – despite the Court allowing them to try to do so twice. Since the case was filed in a rush (TorGuard also sued the wrong company in their initial complaint) to tarnish NordVPN’s reputation and not as a good-faith effort to seek justice, we expected this would be the initial outcome.
However, the US District Court decision was issued “without prejudice,” which means that the case can be brought again if TorGuard is willing to continue its unfounded assaults.