NordVPN Security in 2026: Can You Trust Them After the 2019 Breach?
Affiliate Disclosure: Some links on this page are affiliate links. We may earn a commission if you purchase through them, at no extra cost to you.
Let’s talk about the thing NordVPN’s marketing team wishes you’d forget: In 2019, one of their servers got hacked.
→ Check NordVPN’s current deals
Not a “theoretical vulnerability.” Not a “minor incident.” An actual breach. Private keys stolen. Data center in Finland compromised.
Now, five years later, everyone’s moved on. The company says they’ve fixed everything. Independent audits say it’s fine. Influencers are back to promoting it.
But here’s the question nobody’s asking: What does “fixed” actually mean? And should you care?
What Actually Happened in 2019
Data summary: Analyzed 8 security-focused discussions from HackerNews, BleepingComputer, and Reddit. The 2019 breach involved a compromised data center in Finland. Private keys were exposed, but NordVPN claims no user data was logged or leaked.
Here’s what we know for sure: A third-party data center NordVPN was renting got breached. The attacker grabbed private keys for one server.
With those keys, they could theoretically decrypt traffic going through that specific server. Not all servers. Just that one.
“NordVPN was one of the VPN providers who had a server hacked and while they stated that the server did not contain any logs, the breach still happened.” — BleepingComputer
NordVPN’s response: “We don’t keep logs, so even if the server was compromised, there was nothing to steal.”
Okay. But that’s not the point. The point is: they didn’t know about the breach for months. The data center didn’t tell them. They found out when someone posted about it online.
That’s not a technical failure. That’s an operational failure.
The HackerNews Crowd Still Doesn’t Trust Them
I went through HackerNews threads from 2019 to 2026. The skepticism hasn’t gone away.
“I can’t help but notice that NordVPN is one of the most heavily advertised VPNs from what I’ve seen (which raises the question: why do they need to advertise so much?)” — HackerNews user
That’s the vibe. Not “they’re definitely bad.” More like “something feels off.”
Some users claim NordVPN uses customers as botnets to resell residential IP traffic. I can’t verify that. But the fact that it’s even being discussed tells you something about the trust level.
“Allegedly, they are using their customers as botnets to resell traffic from residential IPs, mostly for scraping.” — HackerNews comment
Is it true? I don’t know. But when people are suspicious enough to say it out loud, that’s a reputation problem.
What They’ve Done Since 2019
To their credit, NordVPN didn’t just ignore the breach and hope people forgot. They made changes:
- RAM-only servers: No data persists on disk. If a server gets compromised, there’s nothing stored to steal.
- Independent audits: PwC audited their no-logs policy. Cure53 audited their apps. Both came back clean.
- Bug bounty program: They’re paying security researchers to find vulnerabilities before attackers do.
- Colocated servers: They moved away from third-party data centers. Now they control the hardware.
Those are real improvements. Not just PR spin.
But here’s the thing: Audits prove what you’re doing right now. They don’t prove you’ll keep doing it. And they definitely don’t prove you won’t screw up again.
The “No Logs” Claim: Is It Real?
NordVPN says they don’t keep logs. PwC audited them and confirmed it. A police investigation in 2023 reportedly found they had nothing to hand over.
“I am all-but-certain that NordVPN doesn’t [keep logs]. I am in possession of records from a recent police investigation in which law enforcement requested data and NordVPN had nothing to provide.” — HackerNews user
That’s about as close to proof as you’re gonna get. If they had logs, the cops would’ve gotten them.
So yeah, the no-logs claim seems legit. At least as of 2023.
But—and this is important—no logs doesn’t mean no risk. If someone compromises a server while you’re connected, they can still intercept your traffic in real time. No logs just means they can’t go back and look at what you did yesterday.
It’s a layer of protection. Not a magic shield.
Should You Trust NordVPN in 2026?
Here’s my take: Trust isn’t binary. It’s not “yes” or “no.” It’s “for what purpose?”
If you’re a journalist in a hostile country: No. Use Tor. Or a VPN that’s been around longer without a breach. Or self-host.
If you’re trying to watch Netflix from another country: Yeah, NordVPN is fine. The 2019 breach doesn’t matter for that use case.
If you’re torrenting: Probably fine. Their no-logs policy seems real. Just don’t use the server that got breached (it’s been decommissioned anyway).
If you’re doing something illegal: I’m not gonna tell you what to do. But I will say: relying on any commercial VPN for serious anonymity is a bad idea. They all have weak points.
Bottom line: NordVPN is more trustworthy now than it was in 2019. But “more trustworthy” doesn’t mean “perfectly trustworthy.” Decide based on your threat model, not their marketing. Try NordVPN here.
Get NordVPN (30-Day Money-Back Guarantee)
FAQs
Was NordVPN hacked in 2019?
Yes. One server in a Finnish data center was compromised. Private keys were stolen. NordVPN says no user data was leaked because they don’t keep logs.
Is NordVPN safe to use now?
Safer than in 2019. They’ve moved to RAM-only servers, passed independent audits, and improved their infrastructure. But no VPN is 100% safe.
Does NordVPN keep logs?
According to PwC’s audit and police investigation records, no. But audits are snapshots, not guarantees. Policies can change.
Should I use NordVPN if I’m worried about privacy?
Depends on your threat model. For casual privacy (hiding from your ISP), yes. For high-stakes anonymity (journalism, activism), consider Tor or self-hosted solutions.
Are there better alternatives to NordVPN for security?
Mullvad and IVPN have stronger privacy reputations. ProtonVPN is based in Switzerland with strong legal protections. But they’re all commercial services with trade-offs.
Can I trust VPN audits?
Audits prove what’s true at the time of the audit. They don’t prove future behavior. Treat them as evidence, not guarantees.