Submission + - NordVPN Users' Passwords Exposed In Mass Credential-Stuffing Attacks (arstechnica.com)
An anonymous reader writes: As many as 2,000 users of NordVPN, the virtual private network service that recently disclosed a server hack that leaked crypto keys, have fallen victim to credential-stuffing attacks that allow unauthorized access to their accounts. In recent weeks, credentials for NordVPN users have circulated on Pastebin and other online forums. They contain the email addresses, plain-text passwords, and expiration dates associated with NordVPN user accounts.
I received a list of 753 credentials on Thursday and polled a small sample of users. The passwords listed for all but one were still in use. The one user who had changed their password did so after receiving an unrequested password reset email. It would appear someone who gained unauthorized access was trying to take over the account. Several other people said their accounts had been accessed by unauthorized people. Over the past week, breach notification service Have I Been Pwned has reported at least 10 lists of NordVPN credentials similar to the one I obtained. While it’s likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What’s more, a large number of the email addresses in the list I received weren’t indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN’s attention more than 17 hours earlier.
I received a list of 753 credentials on Thursday and polled a small sample of users. The passwords listed for all but one were still in use. The one user who had changed their password did so after receiving an unrequested password reset email. It would appear someone who gained unauthorized access was trying to take over the account. Several other people said their accounts had been accessed by unauthorized people. Over the past week, breach notification service Have I Been Pwned has reported at least 10 lists of NordVPN credentials similar to the one I obtained. While it’s likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What’s more, a large number of the email addresses in the list I received weren’t indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN’s attention more than 17 hours earlier.
