Unfortunately, they recently disclosed that a server in one of their data centers was breached back in March of 2018.
According to the details released, the server was located in a data center in Finland.
It was compromised due to an insecure remote management system that was left in place by the data center provider. Worse, this was a system that NordVPN never even knew existed. The company said that they learned of the breach some months ago but withheld disclosing the details until they could be sure that their systems were secure. In the meantime, though, they quietly terminated their contract with the provider in question and shredded the servers that company had been renting from them.
As the official statement released by the company explained:
"The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn't have been intercepted either."
Researchers also discovered that NordVPN had an expired private key left inadvertently exposed. This would have allowed anyone who gained access to it to set up a server that imitated NordVPN.
The company addressed this point as well, saying:
"...the key couldn't possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN."
Assurances aside, the fact that it happened at all is troublesome. In any case, according to the official statements released by the company and informed by their ongoing investigation, it doesn't appear that any sensitive user data was exposed. So if you're a NordVPN user, you can breathe a sigh of relief about that. Stay tuned for additional updates from the company.