“This is not a leak” - Mullvad VPN dismisses alleged accounts breach

Mullvad VPN claims accounts were given away for free

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

One of the most popularVPN servicesaround today has dismissed allegations regarding dozens of its users' accounts being found on the dark web.

Mullvad VPNtold TechRadar Pro that the incidient is not a leak, but that the alleged breached VPN accounts were rather given away for free for later ending up in public forums.

The news was broken by Damien Bancal, a French security researcher, who posted findings of a possible data breach regarding  web addresses leading to the Mullvad API on hiscybersecurity blog.

Mullvad VPN alleged data leak

“We have come across forums and web pages that list “leaked” Mullvad accounts, but since Mullvad donates hundreds of thousands of accounts yearly for various reasons to various organizations, some of these accounts can end up on various forums of websites,” Jan Jonsson, CEO at Mullvad, told TechRadar Pro.

Jonsson added that he was not too surprised about these findings, as he had seen for himself pages with more than 100 Mullvad accounts on.

“This is not a leak,” he told us

In his write-up, Bancal wrote theVPNprovider “fixed the data leak discovered by ZATAZ” (the cybersecurity blog he founded). He described an “astonishing data leak targeting Mullvad” with many leaked links revealing users' connection information such asIP address, stamp dates and other details, and claimed to have informed the Swedish provider about the leak, with the company promptly reacting to it.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Yet, “no one contacted us directly about this “leak”—except people that found that blog post. So, whoever they are, they did not check with us about this,” Jonsson told us.

Besides, both Jonsson and Bancal himself confirmed that these supposedly breached web addresses cannot offer any personally identifiable users' data.

On this point, Jonsson said: “There is no personal information on an account, such as passwords. So there is not MUSH [Multi-User Shared Habitat]that can be extracted—except the time left on the account in question.”

The National Operations Department (NOA) of the Swedish police has visited Mullvad VPN with a search warrant, with the intention to seize computers with customer data. No customer data was compromised. https://t.co/bMpPRNz88NApril 20, 2023

Known as one of the mostsecure VPNproviders on the market, Mullvad has already demonstrated a strong commitment to users' privacy and security online on a few occasions.

Last year, for example, the company decided toaxe recurring subscriptionsin the name of privacy—in defiance of better profits, too. In April, itproved its no-log policyin real-life with an inconclusive police raid where no users' data got compromised. The company even decided toremove port-forwardingsupport on security grounds.

Mullvad is also busy promoting people’s digital rights more broadly. It launched a campaign in March, in fact, to raise awareness around the risks of the EU Chat Control—a proposed legislation that, echoing the UK Online Safety Bill, couldbreak encryptionas we know it.

Talking about the company’s work back in March 2023, Jonsson told us: “Mullvad is usually a very silent company. This is probably the first time we really got mad enough to speak out.”

Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up.She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com

Should your VPN always be on?

3 reasons why PIA fell in our best VPN rankings

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics