[BreachExchange] NordVPN users’ passwords exposed in mass credential-stuffing attacks

[Destry Winant]

https://arstechnica.com/information-technology/2019/11/nordvpn-users-passwords-exposed-in-mass-credential-stuffing-attacks/

As many as 2,000 users of NordVPN, the virtual private network service
that recently disclosed a server hack that leaked crypto keys, have
fallen victim to credential-stuffing attacks that allow unauthorized
access to their accounts.

Hackers steal secret crypto keys for NordVPN. Here’s what we know so far
In recent weeks, credentials for NordVPN users have circulated on
Pastebin and other online forums. They contain the email addresses,
plain-text passwords, and expiration dates associated with NordVPN
user accounts.

I received a list of 753 credentials on Thursday and polled a small
sample of users. The passwords listed for all but one were still in
use. The one user who had changed their password did so after
receiving an unrequested password reset email. It would appear someone
who gained unauthorized access was trying to take over the account.
Several other people said their accounts had been accessed by
unauthorized people.

Over the past week, breach notification service Have I Been Pwned has
reported at least 10 lists of NordVPN credentials similar to the one I
obtained.

Have I Been Pwned

While it’s likely that some accounts are listed in multiple lists, the
number of user accounts easily tops 2,000. What’s more, a large number
of the email addresses in the list I received weren’t indexed at all
by Have I Been Pwned, indicating that some compromised credentials are
still leaking into public view. Most of the Web pages that host these
credentials have been taken down, but at the time this post was going
live, at least one remained available on Pastebin, despite the fact
Ars brought it to NordVPN’s attention more than 17 hours earlier.

Without exception, all of the plain-text passwords are weak. In some
cases, they’re the string of characters to the left of the @ sign in
the email address. In other cases, they’re words found in most
dictionaries. Others appear to be surnames, sometimes with two or
three numbers tacked onto the end. These common traits mean that the
most likely way these passwords became public is through credential
stuffing. That’s the term for attacks that take credentials divulged
in one leak to break into other accounts that use the same username
and password. Attackers typically use automated scripts to carry out
these attacks.

Shared responsibility

It’s important for readers to know these lists don’t signal a breach
on any NordVPN servers. The lists also don’t indicate that the breach
disclosed 11 days ago was worse than the company said it was. Rather,
these lists are the result of mistakes both on the part of users and
NordVPN. For users, the error is choosing easy-to-guess passwords and
using them on multiple sites. Security practitioners almost
universally recommend people choose a long, random password that is
unique for every account.

I’d argue that NordVPN shares the bulk of responsibility for the high
incidence of compromised accounts on its site. Many services such as
Google and Facebook proactively sift through credential lists
available on both public sites and the Dark Web. When the sites find
credentials that match those of their users, the sites notify the
users and require a password reset. The sites increasingly are not
allowing users to choose weak passwords in the first place or
credentials that have been exposed in online dumps in the past.

NordVPN can take other measures to prevent malicious parties from
logging in with users’ poorly chosen passwords. Chief among them would
be rate limiting and algorithms that detect and block unauthorized
logins. It’s hard to understand why NordVPN, a company that’s in the
business of providing security to users, is allowing so many of its
users to fall victim to these attacks. In an email sent after this
post went live, a NordVPN representative wrote:

Our security team is proactively scanning credential lists available
on both public sites and the Dark Web, and, from time to time, we are
trying to urge our clients to change their credentials, especially
passwords. And then we are always trying to educate our customers
through our social media channels, blog, and client newsletters that
they must keep their passwords unique and strong. We are working at
the moment on two other measures - two-factor authentication (2FA) and
smart bot-detection system to enhance rate limiting.

Credential stuffing is a growing problem not only for us but for
almost every other digital service and website. If you look into
marketplaces on the dark web or even more shady forums on a public web
- you'll find hundreds of different accounts for streaming, music,
games, health apps, and services sold illegally. All those accounts
are acquired through the credential stuffing.

Readers who are NordVPN users should visit Have I Been Pwned and check
to see if their email address is contained in any of the lists. If it
is, they should change their passwords immediately. For most people,
it’s too hard a task to keep track of scores of strong passwords, but
that’s where password managers come in. This protection is especially
important since NordVPN doesn't seem to be doing enough to stop these
attacks from happening.