NordVPN confirms it was hacked – TechCrunch
NordVPN, the virtual private network provider, today confirmed it was hacked through an expired, exposed, and outdated internal private key. VPN providers are becoming significantly popular due to providing security and are used frequently by users in hostile environments.
News Insights: Grant McCracken, Director, Solutions Architecture at Bugcrowd:
“What you think is your perimeter, is not your perimeter — it’s a whole lot bigger than you think. Nobody operates in or as a self-contained system, everyone is leveraging a litany of other web assets whether that’s data servers, third party plugins/addons, WordPress hosts, or even just run-of-the-mill AWS or Azure resources.
Everyone lives in a complicated state of a billion dependencies, and each one of these further extends a given organization’s attack surface. And with this, oftentimes, companies are left unaware of their full exposure/footprint, and thus cannot protect it.
To help protect one’s ever-changing attack surfaces and landscape, I recommend implementing an open scope bounty program where researchers can report vulnerabilities- even if it’s something as simple as exposed keys on a Pastebin blob. The important thing here is offering cash incentives to ensure that there’s a driver for individuals to report these vulnerabilities, rather than leaving them in the open for someone else to deal with. Ostensibly, a number of other people saw these keys on the message board where they were posted, but it appears that nobody had the motivation to report them immediately. Offering incentives to researchers (or even bystanders who witness these things) to report things like this is an effective and important piece in making sure that any organization is a little more secure in the wild.”