What happened
Threat actor claims NordVPN Salesforce data leak after an individual using the alias “1011” posted alleged Salesforce development database source code, API keys, and internal tokens on a dark web forum. The actor claims access was obtained via a misconfigured development server in Panama, exposing over ten databases and credentials tied to NordVPN’s internal tooling and project management systems.
Who is affected
NordVPN’s internal systems and development environments are directly affected. The exposure of credentials could impact integrated services if not fully rotated.
Why CISOs should care
The case reinforces how misconfigured development assets and exposed credentials remain common initial access vectors for attackers.
3 practical actions
-
Audit non-production systems: Secure dev and staging environments.
-
Rotate exposed secrets: Revoke and replace all potentially compromised credentials.
-
Enforce least privilege: Limit access scope for development tokens.