Two Thousand NordVPN Users Fell Victims to Credential Stuffing

Last updated July 31, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

According to ArsTechnica, there are at least ten lists containing NordVPN user credentials that are circulating the net right now. In total, 2000 users have already fallen victim to credential stuffing attacks, while the total number of the compromised customers is approximately 5700, although the list may contain duplicates and overlapping sets. The same was also confirmed by “Have I Been Pwned”, where NordVPN users should head to and check if they’re among the compromised. Most of the pages that hosted these lists have been taken down or removed them, but a Pastebin remains, and the darknet is almost certainly sharing them on multiple channels right now.

All that said, it is important to clarify that these lists aren’t the product of a breach on any of the NordVPN systems. Most likely, the compromised users were not careful enough, didn’t use a unique and strong password to secure their accounts, and didn’t change them recently. However, NordVPN could help in creating a more secure-focused environment, urging its clients to reset their passwords regularly, use a password manager, and identify phishing websites or other similar attempts against them. The internet company recently unveiled a new plan that will help them secure their platform even further, but some things are still in the hands of the users.

One thing that NordVPN could have done or could start doing from now on is to proactively roam the realms of the dark web, looking into credential lists, and inform their clients if something matches their records. Having more companies do that can help with the whole situation, as a discovery of a new list can help another entity by reporting it to them in time, etc. This requires work hours and resources, but large and successful companies such as NordVPN should allocate them to the benefit of their users’ safety.

Only ten days ago, we reported about how a single server in a data center service provider who collaborated with NordVPN has been compromised. The company learned about this a couple of months ago and we're still investigating the incident, but the disclosure came from an independent hacker. This had a considerable negative PR reciprocation and shook the trust of the company’s clients. Although the present story isn’t related to that incident, back to back negative publicity is definitely giving a headache to NordVPN. Still, for us, it remains one of the most reliable and trustworthy entities in the VPN market.

NordVPN responded to our story with the following statement,"Our security team is proactively scanning such credential lists on both public sites and the dark web, and we are urging our clients to change their passwords. Over the past year, we notified approximately 50,000 customers to change their passwords; however, the password change rate is only around 50%. The database we use to check these credentials is ever-growing and consists of more than 30 billion entries.

2,000 accounts having been matched is an issue, but we have 12M customers in total. We have always been working on preventive means, like rate-limiting, smart detection systems, and, in the future, two-factor authentication (2FA). Additionally, we always advise our clients through our social media channels,blog, and customer newsletters that they must keep their passwords unique and strong."

What is your VPN product of choice? Let us know in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: