Over 2,000 NordVPN user accounts and passwords have been compromised in what appears to be a credential-stuffing attack, Ars Technica reports.
Multiple lists of user details, including email addresses, plain-text passwords and account expiration dates, surfaced on Pastebin and other online forums.
Ars Technica obtained a list of 753 accounts and sampled a small number of users to confirm that the login details allowed for unauthorised access.
Security breach service Have I Been Pwned reported the posting of at least 10 similar lists.
Most of the pages hosting the credentials have been taken down, although Ars Technica said that one site was still active as of last night.
The leaks were not a result of a breach of NordVPN’s servers.
Weak passwords used
According to Ars Technica all of the passwords they have seen are weak, with many opting to simply use the string of characters before the “@” in their email address.
Others chose dictionary words or a combination of surnames and numbers.
The weak passwords could indicate that the exposure is likely the result of credential-stuffing, a practice in which attackers use previously-compromised email addresses and passwords to breach other platforms where the details may also be in use.
Data centre breach
The leaks come in the wake of a recent security breach at the virtual private network service.
In October, NordVPN confirmed hackers had gained access to an exit node at one of its data centres last year.
Users can check Have I Been Pwned to determine if their credentials may have been compromised.
Update – Statement from NordVPN
“Credential stuffing is a growing issue not only for NordVPN but for almost every other digital service and website. The reason behind this is that people still reuse the same passwords and login names on different accounts or create weak passwords.”
“Our security team is proactively scanning such credential lists on both public sites and the dark web, and we are urging our clients to change their passwords. Over the past year, we notified approximately 50,000 customers to change their passwords; however, the password change rate is only around 50%. The database we use to check these credentials is ever-growing and consists of more than 30 billion entries.”
“2,000 accounts having been matched is an issue, but we have 12M customers in total. We have always been working on preventive means, like rate-limiting, smart detection systems, and, in the future, two-factor authentication (2FA).”
“Additionally, we always advise our clients through our social media channels, blog, and customer newsletters that they must keep their passwords unique and strong.”