**NordVPN Development Server Allegedly Breached by Hacker "1011"**
A hacker operating under the alias 1011 claimed to have breached a NordVPN development server, posting purported database dumps and configuration samples on BreachForums. The leak, titled “nordvpn.com SalesForce – leaked, Download!”, included alleged Salesforce API keys, Jira tokens, and source code from over ten databases. The hacker asserted access was gained by brute-forcing a misconfigured system, though screenshots shared did not conclusively link the data to NordVPN’s production environment.
NordVPN swiftly denied the claims, stating that its internal systems remain uncompromised. In a blog post, the company clarified that the leaked files originated from a six-month-old test environment used to evaluate a third-party platform. The trial, which ended without a signed contract, involved an isolated sandbox with no connection to live systems. NordVPN confirmed the data contained only dummy content and was never integrated into its operational infrastructure.
The company emphasized that the environment was not part of its active Salesforce setup and that no customer data, real API keys, or internal source code were exposed. NordVPN has contacted the third-party vendor for further details but maintains that the incident poses no risk to users. As of now, no verifiable evidence ties the leaked samples to NordVPN’s production systems.
Source: https://hackread.com/nordvpn-denies-breach-hacker-salesforce-dev-data/
Nord Security cybersecurity rating report: https://www.rankiteo.com/company/nordsecurity
"id": "NOR1767632574",
"linkid": "nordsecurity",
"type": "Breach",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'None (dummy data only)',
'industry': 'Cybersecurity/VPN Services',
'name': 'NordVPN',
'type': 'Company'}],
'attack_vector': 'Brute-forcing a misconfigured system',
'customer_advisories': 'No customer action needed',
'data_breach': {'personally_identifiable_information': 'None',
'sensitivity_of_data': 'Low (dummy content only)',
'type_of_data_compromised': ['Salesforce API keys',
'Jira tokens',
'Source code']},
'description': 'A hacker using the alias 1011 claimed to breach a NordVPN '
'development server, posting database dumps and configuration '
'samples on BreachForums. The leak included Salesforce API '
'keys, Jira tokens, and source code from over ten databases. '
'NordVPN denied the breach, stating the data originated from '
'an isolated test environment used briefly six months ago '
'during a third-party platform evaluation.',
'impact': {'data_compromised': 'Salesforce API keys, Jira tokens, source code '
'from over ten databases (dummy content)',
'systems_affected': 'Isolated test environment (not production)'},
'initial_access_broker': {'entry_point': 'Misconfigured system'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'root_causes': 'Misconfigured test environment '
'during third-party platform '
'evaluation'},
'references': [{'source': 'BreachForums post by hacker 1011'},
{'source': 'NordVPN Blog Post'},
{'source': 'Hackread.com'}],
'response': {'communication_strategy': 'Public blog post denying breach and '
'clarifying the nature of the leaked '
'data',
'enhanced_monitoring': 'Ongoing monitoring of the situation'},
'threat_actor': 'Hacker alias 1011',
'title': 'NordVPN Development Server Alleged Breach by Hacker 1011',
'type': 'Alleged Data Breach',
'vulnerability_exploited': 'Misconfigured system'}