TorGuard operates VPN and proxy servers in over fifty countries, practicing secure PKI management network wide so our CA key is never stored on a VPN server. We operate this way so if a worst-case scenario occurs and a VPN server is seized or even compromised, no one can tamper with or decrypt user traffic, or launch Man-in-the-Middle attacks on other TorGuard servers.

So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys… pic.twitter.com/TOap6NyvNy — undefined (@hexdefined) October 20, 2019

Yesterday twitter user @hexdefined posted links and images alleging that VPN providers TorGuard, NordVPN and VikingVPN all had a server compromised in September of 2017. These waybackmachine links show an anonymous 8chan user bragging about the server compromise and includes expired ghostbin links with terminal output as proof of their “crimes”. Of all three VPN providers TorGuard was the only one using secure PKI management, meaning our main CA key was not on the affected VPN server.

TorGuard first became aware of this disclosure during May of 2019 and in a related development we filed a legal complaint against NordVPN in the Middle District of Florida on June 27, 2019.

The single TorGuard server that was compromised was removed from our network in early 2018 and we have since terminated all business with the related hosting reseller because of repeated suspicious activity.

Due to the ongoing lawsuit we cannot provide exact details about this specific hosting re-seller or how the attacker gained unauthorized access. However, we would like the public to know this server was not compromised externally and there was never a threat to other TorGuard servers or users.

The TLS certificate for *.torguardvpnaccess.com on the affected server is a squid proxy cert which has not been valid on the TorGuard network since 2017. TorGuard’s squid proxy TLS cert was upgraded to SHA256 at that time and the affected SHA1 TLS cert removed from browser apps and retired immediately. Even though the affected SHA1 TLS cert did not expire until October 2018, this has not been in use since 2017 and is not valid on the TorGuard proxy network.

TorGuard VPN or proxy traffic was not compromised during this isolated breach of a single VPN server and no sensitive information was compromised during this incident. Even though no security risk past or present was found, TorGuard has reissued all certs earlier this year per our security protocol.