NordVPN Refutes Hacker Claims of Internal Network Compromise

NordVPN has dismissed claims of a significant data breach involving its internal Salesforce database after a threat actor claimed a network compromise and data leak.

 

NordVPN is a widely used VPN service that protects online privacy by encrypting your internet connection and masking your IP address. It helps keep your online activity secure from hackers, ISPs, and other third parties, enabling safer use of public Wi-Fi, private browsing, and access to location-restricted content.

 

Recently, a threat actor using the alias “1011” claimed to have breached NordVPN’s internal network and leaked source code from more than 10 databases hosted on a NordVPN development server. The exposed data reportedly includes structured .SQL files containing development environment configurations and authentication keys.

 

 

 

The threat actor claimed the breach was carried out by brute-forcing a misconfigured server that stored sensitive data, including Salesforce API keys, Jira tokens, and other internal credentials.

 

Refuting the claims of the hacker, NordVPN stated in a press release on its website that the exposed data did not come from its internal Salesforce environment or any of the other services mentioned. The company explained that its investigation found the leaked configuration files were associated with a third-party platform for which NordVPN had only briefly maintained a trial account.

 

“Yesterday, on the 4th of January, we have identified a data dump on one of the breach forum websites, containing allegations made by a threat actor claiming to have accessed a “NordVPN Salesforce development server.” We immediately started to verify these claims and now want to address them directly to clarify what happened.

 

“Our security team has completed an initial forensic analysis of the alleged data dump. While we are continuing our investigation to ensure absolute certainty, we can confirm that, at this stage, there are no signs that NordVPN servers or internal production infrastructure have been compromised,” the company said.

 

NordVPN added that while no data in the dump points to its systems, it has contacted the vendor for further details. Also, its infrastructure remains fully secure, and no user action is required.