Threat Actor Leaks NordVPN Salesforce Database Source Codes

Operating under the identifier “1011,” a threat actor has claimed on a dark web forum to have leaked sensitive data from NordVPN’s development infrastructure.

The breach reportedly exposes over ten database source codes, along with critical authentication credentials that could pose significant risks to the VPN provider’s operational security.

The attacker alleges they gained access through a misconfigured development server hosted in Panama, a finding that underscores the persistent vulnerability of inadequately secured development environments across the technology sector.

According to the initial disclosure, the compromised data encompasses source code repositories from NordVPN’s core systems, Salesforce API keys, and Jira tokens.

These credentials grant direct access to critical business tools used for customer relationship management and project tracking.

The threat actor has released sample SQL dump files that reveal the structure of sensitive database tables, including the salesforce_api_step_details table and api_keys configurations, demonstrating proof of access to NordVPN’s backend infrastructure.

Dark Web Informer analysts identified the leak after the threat actor shared evidence on underground forums on January 4, 2026.

The researchers noted that this incident exemplifies how development servers often become attractive targets due to their relaxed security configurations compared to production environments.

Credential brute-forcing

The availability of database schema information and API key structures significantly increases the risk of follow-on attacks against NordVPN’s broader ecosystem.

The attack vector centered on credential brute-forcing against the misconfigured server, a technique that remains disturbingly effective against systems lacking adequate rate limiting and access controls.

This method involves systematically attempting various password combinations until gaining entry, a straightforward yet potent approach when defensive measures are absent or inadequate.

What distinguishes this breach from standard data theft is the exposure of source code itself, granting attackers architectural knowledge of systems that millions of users depend on for privacy protection.

The implications extend beyond NordVPN’s immediate operations. With API keys and Jira tokens now in public circulation, the threat landscape expands to include potential lateral movements within integrated services and possible manipulation of internal project management systems.

Security researchers recommend that NordVPN conduct immediate security audits of all development infrastructure, rotate compromised credentials across all platforms, and strengthen authentication protocols with multi-factor enforcement.

Organizations handling similar development environments should implement stronger access controls and continuous monitoring to prevent comparable breaches.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.