It becomes increasingly clear every day how difficult it can be to maintain some semblance of privacy on the internet. An increasing number of people have started using VPN services to keep their activities private, but a compromised VPN can be even worse for your anonymity. The popular and widely recommended NordVPN pushes its ability to protect your privacy online, but it has just admitted that unknown attackers managed to breach one of its servers last year.

A VPN acts as a “tunnel” for all your web traffic, so anyone attempting to observe what you’re doing will just see data going to and from the VPN’s servers. However, the VPN is essentially acting like a second ISP, and that means it sees all your unencrypted data. NordVPN and most other paid services are clear that they don’t keep logs of user activity. However, the server infiltration could have made it feasible for the attacker to spy on users.

The breach occurred in March 2018, and NordVPN learned about it several months ago. The company says it waited to release details until it made sure its infrastructure was secure. It points the finger at a data center provider, which hosted one of Nord’s servers in Finland. Apparently, the data center had an insecure remote management system that NordVPN didn’t know about.

So apparently NordVPN was compromised at some point. Their (expired) private keys have been leaked, meaning anyone can just set up a server with those keys… pic.twitter.com/TOap6NyvNy — undefined (@hexdefined) October 20, 2019

While someone did access the server, NordVPN stresses that it does not save activity logs, user IDs, or other personal details. Nord also lost control of an (expired) private key, which could allow others to set up servers that masquerade as official NordVPN servers. Security researchers outside the company expressed concern at the scale of the infiltration. An unknown party had full remote control of the server for a period of time, and they could have used that to scoop up data from some users regardless of whether or not anything is stored on the server. However, NordVPN asserts that the only way someone could have stolen user data from the server is via a targeted man-in-the-middle attack.

Reports are circulating that several other VPN providers may have been attacked around the same time. TechCrunch reports seeing records from other VPN providers like TorGuard and VikingVPN that suggest they may have also been breached. However, neither company has confirmed that. Both say they experienced limited breached in 2017 that didn’t include any access to VPN traffic.

Now read: