The VPN provider NordVPN apparently had an incident some time ago in which an attacker had access to the servers and private keys. Three private keys appeared on the network, one of which belonged to an expired HTTPS certificate.
Several cryptographic keys and information about NordVPN configuration files have appeared in a leak. One of the keys matches an older NordVPN website certificate. The vendor has not yet commented on the incident.
The leak has surfaced in an online discussion. In a now-deleted tweet, NordVPN wrote: “Nobody can steal your online life (if you use a VPN).” In response, someone sent a link to a text file containing evidence of a VPN provider hack.
RSA key leak from website certificate
It seems to be a log file of the console. An attacker had access to a NordVPN server. Shown are various configuration files of the software OpenVPN as well as certificates and three private RSA keys
That the key actually belongs to the certificate, Golem.de could check and confirm. So at least this part is not a fake. The certificate is a wildcard certificate for the NordVPN domain, which is outdated. It expired in October 2018. This may indicate that the hack happened a long time ago, but of course it could also be that the attacker stole the key of an outdated certificate.
You can not decrypt stored VPN traffic directly with the leaked keys. From the configuration files also shown, it shows that the OpenVPN configuration uses a key exchange with Diffie-Hellman so that the connections have the so-called forward-secrecy property, which prevents subsequent decryption. The keys could be used for a man-in-the-middle attack. In addition, it can be assumed that the attacker was able to access traffic during the hack.