NordVPN recently investigated the announcement of a bad actor by the alias “1011” claiming to be responsible for a leak related to its internal Salesforce and development data on a dark web platform.
Based on cybersecurity monitoring reports, the hacker claimed to have accessed the internal systems linked to Salesforce & Jira. As of today January 5, NordVPN confirmed that the breach was false and there hasn’t been any evidence suggesting that its customers browsing activities or VPN data was exposed.
Threat actor posts many sample SQL dumps & screenshots
To prove the claims, the threat actor had exposed screenshots and SQL dumps online. According to reports by security monitoring sites, the samples had data tables such as salesforce api step details and api keys. This was to show that access to backend schema structures and data related to integration actually happened as the hacker “1011” claimed.
It also showed that the exposed environment contained multiple database source codes, authentication records, and configuration details. To further confirm the claims the threat actor revealed that it exfiltrated over 10 database source code files from the environment it breached.
Attackers also exposed other sensitive data, including Jira tokens, Salesforce API keys, and credentials used for automation and internal system communication. On January 4, 2026, researchers on cybersecurity that monitor the activities on the dark web confirmed the existence of the listing.
However, they’re yet to confirm if the data listed is legit because there’s no evidence of any impact on NordVPN’s customer information or production infrastructure.
This incident underscores the critical role of dark web monitoring in early threat detection, even as the tools available for the public to perform such scans are shifting, highlighted by the news that millions will lose free dark web scans as google retires key privacy tool.
Data leak through misfigured development server
In a report of the incident, CyberPress disclosed that the bad actor claimed to have exploited a misconfigured development server vulnerable to brute-force access. After gaining access, 1011 claimed to have accessed and taken database backups and stored configuration files.
According to security researchers at CyberPress, development environments are usually more susceptible to attacks because they house sensitive credentials but lack the same level of monitoring and access controls usually present in production systems. If confirmed, the exploit could enable unauthorized integration access when internal development data links to live systems.
This particular breach is even more concerning because any leak of API keys & Schema linked to Salesforce will expose workflow designs, user access flows and automation scripts. The exposure of such core integration and user data blueprints represents a significant privacy and security failure, precisely the type of systemic risk that is drawing increased scrutiny from regulators (as seen in the recent move where the US’s FTC seeks privacy information from video streaming and social media giants).
Also, security experts believe that even if the bad actors don’t sell the stolen data, exposing such credentials can enable other threat actors to attack the site. Amidst the claims by the bad actor and speculations, of the alleged data breach, NordVPN remained silent but continued its investigations. Finally on January 5, NordVPN released a statement debunking the claims and revealing there was no data breach.
NordVPN confirmed that attackers did not breach its internal Salesforce development servers
On January 5, the head of public relations at Nord Security debunked the claims of exploitation on NordVPN’s internal Salesforce development servers. As reported by, Laura Tyrylyte made the statement and further disclosed the steps which the company took after discovering the actor’s allegations on a forum website on January 4.
Tyrylyte stated that the Nord Security started investigations immediately and has now confirmed that there’s no sign of such compromise. Further, she disclosed that the data in the claim did not originate from the internal Salesforce environment or any of the services the hacker mentioned. Instead, the investigation revealed that the configuration files were linked to a third-party site.
