Virtual private network provider NordVPN has confirmed that it was hacked March 2018. This admission comes after rumors that the company had been breached.

According to the company, an expired internal private key became exposed earlier this year, allowing for the construction of insecure NordVPN imitation servers.

“The breach was made possible by poor configuration on a third-party datacenter’s part that we were never notified of,” the company said in a prepared statement.

“Evidence suggests that when the datacenter became aware of the intrusion, they deleted the accounts that had caused the vulnerabilities rather than notify us of their mistake. As soon as we learned of the breach, the server and our contract with the provider were terminated and we began an extensive audit of our service,” said NordVPN.

The company said even though no user credentials were affected, the attacker did acquire expired TLS keys that, under extraordinary circumstances, could be used to attack a single user on the web, using a specifically targeted and highly sophisticated MITM attack.

The company said in a blog post that they have taken further steps to enhance their security. The steps include including an application security audit, a second no-logs audit, and a bug bounty program, which is still in the works.