NordVPN
Contents13
❗Article Status Notice: This Article is a stub
This article is underdeveloped, and needs additional work to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. Learn more ▼
Issues may include:
- This article needs to be expanded to provide meaningful information
- This article requires additional verifiable evidence to demonstrate systemic impact
- More documentation is needed to establish how this reflects broader consumer protection concerns
- The connection between individual incidents and company-wide practices needs to be better established
- The article is simply too short, and lacks sufficient content
How you can help:
- Add documented examples with verifiable sources
- Provide evidence of similar incidents affecting other consumers
- Include relevant company policies or communications that demonstrate systemic practices
- Link to credible reporting that covers these issues
- Flesh out the article with relevant information
This notice will be removed once the article is sufficiently developed. Once you believe the article is ready to have its notice removed, please visit the Moderator's noticeboard, or the Discord (join here) and post to the #appeals channel, or mention its status on the article's talk page.
| Basic information | |
|---|---|
| Founded | 2012 |
| Legal Structure | Private |
| Industry | Cybersecurity, Virtual Private Networks |
| Also known as | |
| Official website | https://nordvpn.com |
NordVPN is a virtual private network (VPN) service provider owned by Nord Security. NordVPN heavily advertises their products on popular YouTube channels. NordVPN operates worldwide, with offices in the United Kingdom, the Netherlands, Poland, Germany, the United States, Lithuania, Switzerland, and Panama.
Consumer-impact summary
- User freedom: A class action lawsuit was proposed accusing NordVPN of unlawful subscription renewal practices.
- User privacy: Internet traffic that exits the US border is subject to interception by US intelligence agencies (not limited to NordVPN); tracking services have been found within NordVPN's mobile app; has suffered a breach of one of their data centers that was only disclosed more than a year after the incident.
- Business model: Sells subscription services that mainly include their VPN product, but higher tiers can also have add-ons such as their identity protection service NordProtect, their cloud storage service NordLocker and their password manager NordPass as well as others.
- Market competition: Plenty of popular brands (i.e. ProtonVPN, Mullvad, ...).
Incidents
Subscription Renewal Practices
A class action lawsuit has been proposed on November 19, 2024 accusing NordVPN and its developer Nord Security of using deceptive and illegal subscription renewal practices.[1]
Privacy concerns
Due to current laws, United States intelligence agencies are prohibited from spying on American citizens' communications, including internet traffic (with some expanding exceptions).[2] However, internet traffic that exits the country is legally subject to interception and decryption. This includes VPN providers that route traffic outside the United States. As a result, using a VPN may inadvertently expose users to surveillance by U.S. intelligence agencies. No international VPN providers disclose this risk to their customers. It is entirely legal for U.S. intelligence agencies to break encryption, perform man-in-the-middle attacks, or employ other methods to weaken encryption on data crossing international borders.
If data passes international borders it is subject to "bulk collection" by the Intelligence Community because of Executive Order 12333.[3]
Tracking inside App
An analysis by German privacy blogger and activist Mike Kuketz found third party tracking services embedded into the apps of five different VPN services, including three in NordVPN's app (AppsFlyer, Google Crashlytics, and Google Firebase Analytics).[4]
When confronted with the allegations, NordVPN denied the allegations, answering with statements about the website instead of the smarphone app. Kuketz then conducted his own in-depth analysis of the app's traffic (his initial analysis was based on data from the Exodus Privacy Project), revealing that at least two of the trackers were indeed present.
Confronted with the results, the company spoke of a "misunderstanding", which Kuketz describes as "not very convincing".
He further notes that NordVPN's PR manager is using a NordVPN e-mail address which is hosted by Google, meaning any e-mail communication with the company over the same channels would be fully exposed to the advertising giant's data collection.[5]
Data center breach
In March 2018 one of NordVPN's third party servers located in Finland was breached. According to official accounts[6] the attacker gained access to the server thanks to poor management on the data center part, which shortly after patched the issue but failed to make NordVPN aware of the breach until April 13, 2018.
No sensitive user data was stolen, but the attacker did get access to TLS keys which "under extraordinary circumstances, could be used to attack a single user on the web using a specifically targeted and highly sophisticated MITM attack".[6] Said TLS keys were made public by the attacker on the website 8chan together with information relating to breaches of other VPN providers such as TorGuard and VikingVPN.[7]
NordVPN released an official statement more than a year later, only after a researcher on X revealed that NordVPN "was compromised at some point".[8] This was followed by significant turmoil within the community, as individuals remained uninformed for all of this time. According to NordVPN, the delay was justified by an internal audit they were executing of all of their servers which they wanted to complete before notifying the public, making sure that the attack could not be replicated.[6]
NordVPN has since taken down the affected server and terminated the contract with the data center. A security plan was later announced as well.[9]
Products
- NordVPN
- NordPass
- NordLocker
- NordProtect
- Saily
Consumer friendly alternatives
VPN:
Password manager:
Cloud storage:
See also
References
- ↑ Rizzi, C. (2024, November 20). NordVPN lawsuit filed over allegedly illegal automatic subscription renewal practices. ClassAction.org. Retrieved May 24, 2025, from https://www.classaction.org/news/nordvpn-lawsuit-filed-over-allegedly-illegal-automatic-subscription-renewal-practices (Archived)
- ↑ "Electronic Communications Privacy Act of 1986 (ECPA)". Office of Justice Programs. Archived from the original on 24 Jan 2026. Retrieved 2025-03-25.
- ↑ Goitein, Elizabeth (2022-02-15). "How the CIA Is Acting Outside the Law to Spy on Americans". Brennan Center. Archived from the original on 10 Dec 2025. Retrieved 2025-03-26.
- ↑ Kuketz, Mike (2025-09-29). "VPN-Apps: Wenn »Sicherheits-Apps« selbst zum Risiko werden [VPN-Apps: When "Security-Apps" themselves become a risk]". Kuketz IT-Security. Archived from the original on 7 Apr 2026. Retrieved 2025-10-27.
- ↑ Kuketz, Mike (2025-10-20). "NordVPN bestreitet den Einsatz von Trackern – Doch ein App-Mitschnitt zeigt ein anderes Bild [NordVPN denies use of trackers – but an analysis of the app's traffic paints a different picture]". Kuketz IT-Security. Archived from the original on 7 Apr 2026. Retrieved 2025-10-27.
- ↑ 6.0 6.1 6.2 "Why the NordVPN network is safe after a third-party provider breach". NordVPN. 2019-10-21. Archived from the original on 7 Apr 2026. Retrieved 2026-02-22.
- ↑ "NordVPN Hack – Everything You Need to Know". Cyber Insider. 2019-10-23. Archived from the original on 31 Jan 2026. Retrieved 2026-02-22.
- ↑ "So apparently NordVPN was compromised at some point". x.com. 2019-10-20. Archived from the original on 7 Apr 2026. Retrieved 2026-02-22.
- ↑ "How NordVPN will become more secure than ever". NordVPN. 2019-10-26. Archived from the original on 7 Apr 2026. Retrieved 2026-02-22.