"This is not a leak" - Mullvad VPN dismisses alleged accounts breach
Mullvad VPN claims accounts were given away for free
One of the most popular VPN services around today has dismissed allegations regarding dozens of its users' accounts being found on the dark web.
Mullvad VPN told TechRadar Pro that the incidient is not a leak, but that the alleged breached VPN accounts were rather given away for free for later ending up in public forums.
The news was broken by Damien Bancal, a French security researcher, who posted findings of a possible data breach regarding web addresses leading to the Mullvad API on his cybersecurity blog.
Mullvad VPN alleged data leak
"We have come across forums and web pages that list "leaked" Mullvad accounts, but since Mullvad donates hundreds of thousands of accounts yearly for various reasons to various organizations, some of these accounts can end up on various forums of websites," Jan Jonsson, CEO at Mullvad, told TechRadar Pro.
Jonsson added that he was not too surprised about these findings, as he had seen for himself pages with more than 100 Mullvad accounts on.
"This is not a leak," he told us
In his write-up, Bancal wrote the VPN provider "fixed the data leak discovered by ZATAZ" (the cybersecurity blog he founded). He described an "astonishing data leak targeting Mullvad" with many leaked links revealing users' connection information such as IP address, stamp dates and other details, and claimed to have informed the Swedish provider about the leak, with the company promptly reacting to it.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Yet, "no one contacted us directly about this "leak"—except people that found that blog post. So, whoever they are, they did not check with us about this," Jonsson told us.
Besides, both Jonsson and Bancal himself confirmed that these supposedly breached web addresses cannot offer any personally identifiable users' data.
On this point, Jonsson said: "There is no personal information on an account, such as passwords. So there is not MUSH [Multi-User Shared Habitat] that can be extracted—except the time left on the account in question."
The National Operations Department (NOA) of the Swedish police has visited Mullvad VPN with a search warrant, with the intention to seize computers with customer data. No customer data was compromised. https://t.co/bMpPRNz88NApril 20, 2023
Known as one of the most secure VPN providers on the market, Mullvad has already demonstrated a strong commitment to users' privacy and security online on a few occasions.
Last year, for example, the company decided to axe recurring subscriptions in the name of privacy—in defiance of better profits, too. In April, it proved its no-log policy in real-life with an inconclusive police raid where no users' data got compromised. The company even decided to remove port-forwarding support on security grounds.
Mullvad is also busy promoting people's digital rights more broadly. It launched a campaign in March, in fact, to raise awareness around the risks of the EU Chat Control—a proposed legislation that, echoing the UK Online Safety Bill, could break encryption as we know it.
Talking about the company's work back in March 2023, Jonsson told us: "Mullvad is usually a very silent company. This is probably the first time we really got mad enough to speak out."
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com