After the disclosure of major security breaches at NordVPN and TorGuard VPN, we are lowering the score of NordVPN, formerly a five-star, Editors' Choice VPN service. It is now a four-star service, and will keep its Editors' Choice award, for now. TorGuard will retain its four-star rating. I'll explain why—along with what happened—below.

The story starts months ago on the anonymous message board, 8chan, where a user bragged about having compromised NordVPN, TorGuard VPN, and a service we have not reviewed called VikingVPN. The brags went unnoticed for months until October 20th, when a Twitter storm brought the accusations against the companies into the light. That's when I found out about the incident.

I learned, like everyone else, that in the case of NordVPN and TorGuard VPN, someone managed to gain access to VPN servers leased by the companies. Both NordVPN and TorGuard have issued statements outlining the attack. VikingVPN has not updated its blog in quite some time and it has been almost two years since the company's Twitter account was active.

As a reviewer, I hate days like today, and not only because it required that I read some truly vile 8chan posts in order to find out the origin of this story. I especially hate this situation because it poses really difficult questions that don't have particularly satisfying answers.

Questions like, is it fair to penalize a company for being involved in an attack? Maybe another company has terrible security practices, but just wasn't targeted. Should I compare one company's response to another's and pick a winner? That's not fair, as blind luck could have been a factor in these outcomes. How can I believe anything that's being said, since the companies involved have a powerful financial motivation to put the best spin on the situation? It's an especially fraught situation in the VPN industry, which has an unfortunate history of skullduggery.

I'm fortunate that PCMag readers trust my reviews, and I know I have a particularly special responsibility when it comes to evaluating security and privacy products. These products are intended to protect people and when they fail in protecting people, they're worse than just bad purchases: They put people at risk. Given that, I'm going to summarize what I understand about the breaches and how PCMag arrived at our decision to regarding the scores of these two VPNs.

How Bad Were These Breaches?

According to NordVPN's statement, an attacker gained access to its server in Finland in March 2018 using a remote access feature that was left in place on the server. The server was leased by NordVPN, but managed by a third-party company. NordVPN claims the server company was negligent in how it managed its remote access tools. TorGuard has not disclosed the exact method used to gain access to its server, but the events appear to be linked.

NordVPN says that the attacker was able to nab the Transport Layer Security key that is used to verify that a site is actually run by NordVPN. TorGuard said that it manages its certificate authority keys in such a way that the keys are not stored directly on the server. Both companies say that they were previously aware of the intrusion on their servers, and had already taken steps to mitigate future attacks. TorGuard VPN disclosed the attack shortly after it was made aware of it. NordVPN did not publicly disclose the issue until October 21st.

I will note briefly here that I have been made aware of an ongoing legal case between NordVPN and TorGuard VPN that is connected to these breaches. We generally do not look at private legal complaints as part of our reviews and that is the case here as well.

It's clear that the attacker had privileged access that should not have been available to anyone. The information that was obtained in the attack is very valuable, but both NordVPN and TorGuard said that the information would have been difficult to use in practice.

Here's how PCMag reporter Michael Kan characterized a potential attack:

"Stealing [NordVPN's] TLS key did open the door for what's called a 'man in the middle attack,' which can expose your traffic, unencrypted, to the hacker. But pulling off such a scheme wouldn't be easy. It would require the creation of a dummy NordVPN client, and then tricking a user into installing it, which ultimately would have only victimized one computer."

In an email to me, NordVPN downplayed the potential for attacks this way:

"Essentially, the attack would require quite extraordinary access to the user's network or device for it to be possible. Such an attack, in theory, could be performed by a malicious or compromised ISP, a malicious Wi-Fi network, an intrusive Wi-Fi network admin (like a university or office network), or a hacker who already has access to your device."

For its part, TorGuard described the attack against its infrastructure this way:

"TorGuard did not store our main [certificate authority] key on any endpoint. But, even if the CA key was obtained and it was valid, attacks like these would be virtually impossible to pull off because OpenVPN has multiple layers of security. An attacker would have to locate and synchronize multiple attack vectors [...] People sometimes complain that OpenVPN is complicated, but that is one reason it is highly regarded as a secure VPN protocol."

What's perhaps more troubling is that the attacker may have been able to observe some user activity while they had access to NordVPN's server. I have reached out to TorGuard to clarify if this is also the case. In its reporting, Bloomberg quoted NordVPN advisory board member Tom Okman who spoke about this specific issue.

"Okman said it was hard to determine if hackers obtained information on the internet usage of Nord users because the company doesn't collect logs of activity on its servers, a selling-point to privacy-conscious customers. 'I think that the worst case scenario is that they could inspect the traffic and see what kind of websites you could visit,' Okman said. He said this would only apply to Nord users who used its Finnish server and were accessing websites that didn't use the secure protocol HTTPS."

Bloomberg says NordVPN estimates that 50-200 customers used the affected server.

I reached out to NordVPN to comment on this specific issue. A company representative stressed that while it was possible, there is no evidence the attacker observed traffic. The company's response:

"Even if [the] hacker could have viewed the traffic while being connected to the server, he could only see what an ordinary ISP would see, but in no way it could be personalized or linked to particular username or email. Historical VPN traffic could not be monitored."

While it seems that using the stolen information would have been difficult for the attacker (it's very interesting that NordVPN and its competitor TorGuard VPN agree on this point), I am disturbed by the possibility that traffic could have been observed by the attacker. The good news is that HTTPS is more common today than ever before, which would greatly limit what the attacker could have observed, if they observed anything at all. It's also a relief that the attacker would not have been able to attribute the traffic observed to specific users connected with the server. But that's still cold comfort, as it represents a complete failure of what a VPN company is supposed to do in the first place.

I also reached out to TorGuard VPN to see if the attacker could have observed traffic while connected to its servers. The representative said it was not possible because the company uses secure Public Key infrastructure (PKI) management to protect its encryption keys. A representative wrote:

"No, that would be impossible in TorGuard's case. [...] TorGuard's [certificate authority] CA private key is never stored on any VPN server, so it would not be possible for an attacker to decrypt packets flowing through the VPN. When VPN traffic leaves the end user's computer through the VPN adapter, it is fully encrypted. Once the packet arrives at the VPN provider, the only way to see activity is to decrypt the packet with the VPN provider's private key. In theory, the attacker could then log traffic or further examine it for exploitation."

How to Think About Security Breaches

NordVPN and TorGuard certainly aren't the first companies, or even the first security companies, to experience major security breaches. In general, my approach to evaluating products that suffer security breaches is to judge them as much on how they handle the breach as the severity of the breach itself.

After all, attacks against any organization that stores user information—which is every organization—are to be expected. Not to be cynical, but breaches are going to happen. They might be small, they might be massive, but eventually, someone will find a way in. What is more important than preventing a breach is coping with the aftermath.

Take the example of LastPass. This password manager records logins and then plays them back for fast, easy logins. It also can generate unique, complex passwords for each one of your accounts. It's a great service. In 2015, the company announced it had been the victim of an attack. LastPass quickly notified users and posted information to its public blog about the attack. The company had also planned for a worst-case scenario. It already encrypted all of its users' information, and the information stolen would be difficult if not impossible to use as a result. It still recommended that users change their master passwords, just to be sure.

This was an example of a company handling a breach well. They were transparent about the attack and provided clear advice for affected individuals. Most importantly, LastPass took steps to secure the information it held. Data was encrypted, passwords hashed and salted. When attackers stole data, the company was confident that none of it could be used to mount further attacks.

In general, NordVPN and TorGuard both have good responses, but they do leave a few things to be desired. For one thing, a representative of TorGuard tells me that the company disclosed the breach back in May. NordVPN did not disclose the breach until it blew up on Twitter, ostensibly to ensure the attack could not be replicated on other servers. A prompt, transparent, response goes a long way toward building trust in a company.

TorGuard says that it determined the attack posed no threat, but reissued the certificates that verify the identity of its servers anyway. It almost sounds like TorGuard wasn't going to say anything about the incident until it came up on Twitter. NordVPN says that it did not make a statement in order to verify that none of its other servers were vulnerable, and to implement additional safeguards.

It's easy to judge harshly with the benefit of hindsight, but it's clear that there were additional security measures NordVPN could have used on its servers. I can infer this partly because in this very similar situation, there appears to have been different outcomes between NordVPN and TorGuard, with regard to TLS keys. Moreover, NordVPN announced that in light of the attack it is going to, "move all of our servers to RAM," which greatly limits the amount of information on the server at any given moment. That's great, but it could also have been done before the breach, and was not.

The attack and its disclosure show another critical problem with VPNs: a reliance on third-party contractors to supply the servers necessary to run the company. NordVPN says lax practices at the company running the datacenter it leased its servers from was the source of the intrusion. There's nothing ostensibly wrong with leasing servers, but it does mean that even an imaginary perfect VPN company could be stymied by negligent behavior on the part of the server operator. Both companies have said they cut ties with their respective datacenters, although it's not clear whether both companies used the same provider. Some VPN companies say they own their own servers, which might be a more attractive option in the future.

NordVPN, for its part, says that it will be more discerning about who it contracts to supply its server infrastructure. The company also says it will undergo a public third-party audit to validate that infrastructure is secure.

What Can Be Learned From These Breaches?

Hopefully other VPN companies will take a long hard look at their own practices, and the server providers they use. This experience has been illuminating for me, too. I've always tried to learn as much as I can about the efforts VPN companies make to protect their customers. For future reviews, I'll ask about server fleet policies, how data is stored on those servers, and how companies prepare for situations like this one. Expect to see updated reviews of all products in the very near future.

I'm also taking this opportunity to highlight a problem I've seen with the entire VPN industry since I started covering it: the difficulty in validating claims made by VPN companies. An outside observer would have a hard time verifying that a VPN is actually encrypting user traffic all the time and it's impossible to verify that every single server is configured correctly and securely.

This is markedly different than other parts of the security industry. Antivirus companies, for example, formed the AMTSO that allows individuals to verify that their antivirus applications are working, and established guidelines for third-party evaluations of those products.

VPNs have also operated in relative obscurity compared to the scrutiny applied to other technology companies. Apple or Google, for instance, are routinely probed by eager security researchers looking for vulnerabilities. That same attention has not been given to VPNs and it's needed now more than ever. Clearly, there's good work to be done here. If a rando on 8Chan can do find something worth looking at, surely security researchers can do better.

All of our reviews at PCMag are effectively ongoing. I update a VPN review whenever there's a change in pricing, new features are added or old features removed, and when unfortunate incidents like this occur. There's also just a lot no one knows, and I try to learn in order to write better reviews. Our decision to change scoring is based on the information we have right now. If more damning information comes to light, either company's score could drop further. There's also the chance for improvement.

I hope to see the latter.