Dozens of Mullvad VPN accounts discovered on the dark web


The company insists this is not a leak but rather accounts that were given away for free and ended up on public forums.

Recently, Damien Bancal, a security researcher with over 30 years of experience, posted a brief news report, alleging that a Swedish VPN provider, Mullvad VPN, leaked user data.

“During an investigation carried out on behalf of a client of the ZATAZ Monitoring service, an astonishing data leak targeting Mullvad was discovered. Dozens of web addresses, leading to the Mullvad API, offered access to user connection information, such as IP addresses [IPv4 and IPv6 addresses], connection dates and some other information which, fortunately, was not personally identifiable,” the post reads.

Bancal, who’s been following hackers for years now, stumbled upon a hacker discussion and learned about their plans to release some data related to the Mullvad VPN on the dark market. The hackers shared some data that included a 16-digit Mullvad client ID along with their expiration date.

The researcher shared several different links to caches of forums where threat actors apparently were trading off dozens of Mullvad VPN accounts. It seems that not a lot of information on those accounts can be exposed with just an ID number, as no names, email addresses or other personally identifiable information can be retrieved.

Mullvad VPN account numbers

But while it seems impossible to trace the data to account owners, the researcher insisted that a malicious actor can induce big harm with very little information.

“In my 30 years of experience with my blog, I've seen malicious actors do a lot with limited content. In this case, they could be collecting information for OSINT (Open Source Intelligence) purposes: "gathering data today to decrypt it tomorrow."

Jan Jonsson, CEO of Mullvad VPN, wasn’t surprised to hear about the publicly exposed accounts. He said he’d personally seen pages with over 100 Mullvad VPN accounts.

“Wayback Machine indexes most of the web-sites and forums on the internet.mThere are many forums and pages that list “leaked” Mullvad accounts. Since Mullvad donates hundreds of thousands of Mullvad accounts yearly, for various reasons, to various organizations – these accounts end up at such forums/websites. This is one of several sources for “leaked accounts,” he told Cybernews via email.

He emphasized that this was not a leak. “Firstly, we do have an API with very limited functions. There is no personal information on an account, such as passwords. We do not even use passwords, a user generates just a 16 digit account number.”

According to him, people are trying to brute-force accounts – guessing account numbers in order to get a free account to use. Jonsson went on explaining: “An account number is a 16-digit decimal number in the range "1000 0000 0000 0000" to "9999 9999 9999 9999". There are 9*10¹⁵ different possible accounts (“9000 0000 0000 0000”). If for example we have 1 million paying customers, the chance to guess one is 1*10⁶ / 9*10¹⁵ You have to guess 1.11*10¹⁰ times to find one. Guessing 100 times per second, it will take 1.11*10⁸ seconds to find one paying account= 30833 hours = 1285 days. We have protection in place with strict rate limits, which means we do not allow anyone to guess 100 times per second.”

The Swedish-owned company puts a strong emphasis on customer privacy. In April, its office in Gothenburg was raided by the police, intending to seize computers with customer data.

The company then argued that such customer data didn’t even exist because of its 'no logs' policy. If they had taken something that would not have given them access to any customer information."

The VPN industry is under tight scrutiny from privacy experts since users rely on the service to essentially stay anonymous on the internet.

Exposure of VPN IDs could have serious consequences since it might be associated with private user information like billing, and may contain other personal details. In the case when a VPN ID is exposed, the user should change a password, enable multi-factor authentication, and inform their VPN provider about the issue.


More from Cybernews:

DarkBeam leaks billions of email and password combinations

Misconfigured WBSC server leaks thousands of passports

Reddit is now forcing ad personalization – you can’t opt out

Disney joins account sharing crackdown

Aeroflot, other airlines’ flights delayed over DDoS attack

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are markedmarked