A threat actor has claimed to have leaked data from NordVPN’s internal Salesforce development server, posting alleged configuration files and API key entries on a well-known cybercrime forum.
However, NordVPN has refuted the breach allegations, asserting that its production systems and customer data remain secure.
The claims were published on BreachForums on January 4, 2026, by a forum user going by the handle “1011.” The post included what appeared to be SQL dumps referencing api_keys tables, purportedly extracted from a misconfigured development server. The attacker claimed to have obtained the data via brute-forcing access to a NordVPN server that supposedly held Jira and Salesforce information.
Despite the technical-looking database snippets and references to specific API tokens, NordVPN has dismissed the incident as a misrepresentation. In a statement to the press and a public blog post, the company explained that the data does not originate from its internal systems, nor does it reflect access to any actual Salesforce infrastructure used in production.
“The claims that NordVPN’s internal Salesforce development servers were breached are false,” the company said in a statement sent to CyberInsider.
“Our security team has completed an initial forensic analysis of the alleged data dump, and we can confirm that, at this stage, there are no signs that NordVPN servers or internal production infrastructure have been compromised.”
NordVPN attributes the leaked data to a third-party platform used during a limited trial phase roughly six months ago. During that time, the company tested a vendor for automated testing purposes, spinning up a temporary environment as part of a standard Proof of Concept (PoC). According to the firm, no customer data, active credentials, or production infrastructure were ever linked to this trial setup.
NordVPN clarified that the environment contained only dummy data, and no contract was ever finalized with the vendor in question. While the leaked artifacts resemble real database tables and API structures, the company says they were never connected to its operational systems.
Founded in 2012, NordVPN is one of the most widely used virtual private network providers, serving millions of users globally with a focus on privacy and encrypted internet access.
NordVPN says it is continuing to investigate the matter and has reached out to the third-party vendor involved to gather more details. So far, no indicators suggest the exposure involved NordVPN's proprietary systems or customer information.
Leave a Reply