Not only one, but three VPN providers had security breaches since 2017, but are only acknowledging it now. NordVPN seems to have been hit the hardest, but TorGuard and VikingVPN also admitted breaches.
NordVPN, one of the most well-known VPN provider, had confirmed a security breach in early 2018. At fault, there's the data centre provider from Finland, where the server was hosted. The data centre provider used an insecure remote management system that NordVPN was “unaware” of. Although NordVPN seems to be playing down the occurrence, there's an anonymous post on 8chan, shared by Cryptostorm's Twitter account, that claims that the hacker had root access to the server. NordVPN states that the TLS key that was stolen was expired, and no VPN traffic could be decrypted.
The same 8chan user showed access to servers from two other VPN providers – TorGuard and VPNViking. TorGuard came forward to explain why, even if not disclosed to the public, this breach didn't affect them as much. TorGuard, unlike most competitors, was using secure PKI management, meaning that the CA key was not on the affected VPN server. The TLS certificate that was taken was for “squid proxy cert which has not been valid on the TorGuard network since 2017.”
VPNViking, on the other hand, didn't make a statement.
Both NordVPN and TorGuard state that no user credentials have been intercepted, and no other servers besides the one affected were accessed.
KitGuru says: These breaches should be disclosed as soon as possible. No customer should be left in the dark when their information is at risk. Do you use a VPN? Is it from any of these providers?