NordVPN has released a statement confirming that all systems and data remain secure, following fake claims by a threat actor of an alleged breach.
“Claims that NordVPN’s internal Salesforce development servers were breached are false,” Laura Tyrylyte, head of Public Relations at Nord Security, said in a statement.
On January 4th, the company identified a data dump on an illicit breach forum website, containing allegations made by a threat actor claiming to have accessed a “NordVPN Salesforce development server.”
“We immediately started to verify these claims. Our security team has completed an initial forensic analysis of the alleged data dump, and we can confirm that, at this stage, there are no signs that NordVPN servers or internal production infrastructure have been compromised,” Tyrylyte explains.
“The data in question does not originate from NordVPN’s internal Salesforce environment or any other services mentioned in the claim.”
Instead, the company’s investigation revealed that the leaked configuration files were related to a third-party platform, with which it had briefly maintained a trial account.
“NordVPN systems remain fully secure.”
The company provides more details on the trial with a third-party platform in a blog post.
What did the threat actor claim?
A threat actor that posted claims of allegedly breaching NordVPN's development environment used a new account “1011.”
“Today I am leaking +10 DB's source codes from a NordVPN development server,” the threat actor said.
The threat actor claimed to have obtained Salesforce API keys, Jira tokens, and SQL Database dumps. The alleged leak didn’t involve any user personal data, including email addresses, passwords, IP addresses, logs, or financial data.
The provided data samples included timestamps from August 2025, which were five months prior to the post date, and the leaked API keys appear to be in the wrong format.
The threat actor claimed they acquired the information “by bruteforcing a misconfigured server,” which stored Salesforce and Jira information.
A development environment is like a testing lab for engineers building and debugging software, making it less sensitive than a production environment. The data within it typically relates to internal pre-production workflows, tools, integrations, and business logic, which could still be useful for attackers if the leak was genuine.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked