Hacker claims breach of NordVPN, company refutes, claims it's third-party test data breach

A threat actor operating under the alias “1011” claimed responsibility for breaching internal Salesforce and development data allegedly belonging to NordVPN and leaked them on a dark web forum.

The forum post included several sample SQL dumps and screenshots as proof of compromise, data tables such as salesforce_api_step_details and api_keys.

According to the attacker’s statement, the breach occurred after the attacker brute-forced a misconfigured NordVPN development server that contained both Salesforce and Jira-related information.

NordVPN denied the claims that hackers broke into its internal Salesforce development servers. NordVPN said the leaked files are 'dummy data' from a trial account on a third-party testing platform. 

The company used a temporary setup months ago to test a new vendor for automated testing. NordVPN did not sign a contract with that vendor and stopped using the service. The setup was never part of the main network.

The company claims that the test environment was isolated from its production infrastructure. The stolen data includes database schemas and API tables used only for functionality checks. Allegedly, no real customer info, production source code, or active passwords were in this environment.

The compromised vendor is not disclosed. NordVPN is now asking the vendor for more details about the incident.