- cross-posted to:
- cybersecurity@sh.itjust.works
- cross-posted to:
- cybersecurity@sh.itjust.works
You must log in or register to comment.
"The leaked elements, such as the specific API tables and database schemas can only be artifacts of an isolated third-party test environment, containing only dummy data used for functionality checks. While no data in the dump points to NordVPN, we have contacted the vendor for additional information," NordVPN explained.
"Because this was a preliminary test and no contract was ever signed, no real customer data, production source code, or active sensitive credentials were ever uploaded to this environment.
“We ultimately chose a different vendor and did not proceed with the one we tested. The environment in question was never connected to our production systems.”
I’d love to see the look on 1011’s face having just learned this.
The company also announced plans to switch to dedicated servers that they own exclusively and to upgrade their entire 5,100-server infrastructure to RAM servers.
Oh, thats going to be expensive this year.
Why would *VPN even have ANY data worth taking through breaching?
They operate a business that charges for a service, and therefore have user accounts and payment data for those accounts.
There is at least one VPN provider (that I know of) that doesn’t record account and payment data. You can send the fee via regular post in a envelope tied to only a random numerical user ID
Mulvad. That’s how I do it.
Same reason as any other online company?
So for selling it to aggregators? That’s bad practice for a VPN-providing company.
So for selling it to aggregators?
You really think thats the primary function for user data? Not like, billing?
Billing? ID -> balance. “Very” important data for hackers. They had more? Like card numbers, names, addresses, etc? That’s a bad practice for VPN providers.
You are surprised that a for-profit company that bills people on a RECURRING basis for a paid service keeps card numbers and billing addresses/names? How would recurring bills be paid if the info isn’t stored?
You are surprised
I’m not surprised. I am accustomed to the shit around.
How would recurring bills be paid if the info isn’t stored?
Just go to the bank (or open your bank application on the phone) and pay.
This is not how most people operate around subscription services. People expect that the online subscription service will manage that shit. Less secure I know, but you live either in the past or in a much higher risk environment than most.
How do they send you your invoice? Password resets?
Mulvad gives you a 16 digit random number when you sign up. Anyone with that number can use that account, it’s on you to not lose it, if you do you have to make a new account. You send them money and an account number and they add balance to that account. When it’s out, that account is blocked from service until they get more money. You hack their service and you get a list of numbers and whether or not they have service. They keep no documentation and if you pay with card you have to manually input every time. I know them better than they know their users.
The customer can notify ID during payment.
I’m not sure what you mean by that…
It wasn’t, it was test data
You don’t have any “test data” if you don’t have any “real data”. Why would you?
Uh… this entire event is a strong reason for using dummy data in a testing environment. You shouldn’t ever use production data in a test environment.
You generate dummy data that looks like real data for testing purposes.
You didn’t understand what I am saying.
I do understand, you just don’t seem to understand that this testing environment never contained real data. And you can absolutely generate dummy data without having real data to start with.
I do understand,
No, you don’t.
Ok, then explain it to me.
I just wanna say that I get what you’re saying and this thread was hilarious to me for some reason.
Because your previous trust is clearly misplaced.
I don’t care what somebody’s TOS says, I’m going to remain skeptical.
