As many as 2,000 users of NordVPN, the virtual private network service that recently disclosed a server hack that leaked crypto keys, have fallen victim to credential-stuffing attacks that allow unauthorized access to their accounts.

In recent weeks, credentials for NordVPN users have circulated on Pastebin and other online forums. They contain the email addresses, plain-text passwords, and expiration dates associated with NordVPN user accounts.

I received a list of 753 credentials on Thursday and polled a small sample of users. The passwords listed for all but one were still in use. The one user who had changed their password did so after receiving an unrequested password reset email. It would appear someone who gained unauthorized access was trying to take over the account. Several other people said their accounts had been accessed by unauthorized people.

Over the past week, breach notification service Have I Been Pwned has reported at least 10 lists of NordVPN credentials similar to the one I obtained.

While it’s likely that some accounts are listed in multiple lists, the number of user accounts easily tops 2,000. What’s more, a large number of the email addresses in the list I received weren’t indexed at all by Have I Been Pwned, indicating that some compromised credentials are still leaking into public view. Most of the Web pages that host these credentials have been taken down, but at the time this post was going live, at least one remained available on Pastebin, despite the fact Ars brought it to NordVPN’s attention more than 17 hours earlier.

Without exception, all of the plain-text passwords are weak. In some cases, they’re the string of characters to the left of the @ sign in the email address. In other cases, they’re words found in most dictionaries. Others appear to be surnames, sometimes with two or three numbers tacked onto the end. These common traits mean that the most likely way these passwords became public is through credential stuffing. That’s the term for attacks that take credentials divulged in one leak to break into other accounts that use the same username and password. Attackers typically use automated scripts to carry out these attacks.

Shared responsibility

It’s important for readers to know these lists don’t signal a breach on any NordVPN servers. The lists also don’t indicate that the breach disclosed 11 days ago was worse than the company said it was. Rather, these lists are the result of mistakes both on the part of users and NordVPN. For users, the error is choosing easy-to-guess passwords and using them on multiple sites. Security practitioners almost universally recommend people choose a long, random password that is unique for every account.

I’d argue that NordVPN shares the bulk of responsibility for the high incidence of compromised accounts on its site. Many services such as Google and Facebook proactively sift through credential lists available on both public sites and the Dark Web. When the sites find credentials that match those of their users, the sites notify the users and require a password reset. The sites increasingly are not allowing users to choose weak passwords in the first place or credentials that have been exposed in online dumps in the past.

NordVPN can take other measures to prevent malicious parties from logging in with users’ poorly chosen passwords. Chief among them would be rate limiting and algorithms that detect and block unauthorized logins. It’s hard to understand why NordVPN, a company that’s in the business of providing security to users, is allowing so many of its users to fall victim to these attacks. In an email sent after this post went live, a NordVPN representative wrote:

Our security team is proactively scanning credential lists available on both public sites and the Dark Web, and, from time to time, we are trying to urge our clients to change their credentials, especially passwords. And then we are always trying to educate our customers through our social media channels, blog, and client newsletters that they must keep their passwords unique and strong. We are working at the moment on two other measures - two-factor authentication (2FA) and smart bot-detection system to enhance rate limiting. Credential stuffing is a growing problem not only for us but for almost every other digital service and website. If you look into marketplaces on the dark web or even more shady forums on a public web - you'll find hundreds of different accounts for streaming, music, games, health apps, and services sold illegally. All those accounts are acquired through the credential stuffing.

Readers who are NordVPN users should visit Have I Been Pwned and check to see if their email address is contained in any of the lists. If it is, they should change their passwords immediately. For most people, it’s too hard a task to keep track of scores of strong passwords, but that’s where password managers come in. This protection is especially important since NordVPN doesn't seem to be doing enough to stop these attacks from happening.

Post updated to add NordVPN comment.