NordVPN Refutes Claims of Development Server Breach
On January 4, 2026, a threat actor identified as 1011 alleged on a dark web forum that they had infiltrated NordVPN’s development infrastructure. The individual claimed to have accessed over ten database source codes, along with critical authentication credentials, including Salesforce API keys and Jira tokens. These assertions suggested potential vulnerabilities within NordVPN’s internal systems.
In response, NordVPN conducted a comprehensive forensic analysis and determined that these claims were unfounded. Laura Tyrylyte, Head of Public Relations at Nord Security, stated, Claims that NordVPN’s internal Salesforce development servers were breached are false. The company emphasized that their systems and data remain secure, and there is no evidence of any compromise.
The alleged breach was said to involve a misconfigured development server in Panama, through which the attacker purportedly obtained sensitive data. However, NordVPN’s investigation revealed that the leaked configuration files were related to a third-party platform with which they had briefly maintained a trial account. The data in question did not originate from NordVPN’s internal Salesforce environment or any other services mentioned in the claim.
This incident underscores the importance of verifying breach claims before drawing conclusions. NordVPN’s swift response and thorough investigation highlight their commitment to maintaining robust security measures and ensuring user trust.
