Sweden-based VPN provider Mullvad was found to leak user data
These “account_ids” are comprised of only a few digits,
That statement needs to be corrected. Mullvad “account_id” is the 16-digit account number, not “only a few digits.”
The account number is the only user information stored by Mullvad: no name, no email address, no physical address, no IP address.
This made its way into another VPN subreddit, but I’d figure I’d repost my take on it here.
Your account number at Mullvad is the single source of truth. This is why they say to hold onto it and never share it with anyone you do not trust - as anyone can use your account number.
For Mullvad’s apps and other tools to know you’re authenticated, it needs to interact with its API. Every service does this. What I theorize is that already-leaked account numbers had found its way to be indexed in the Wayback Machine, as this report claims. This can sometimes indicate that the API endpoints were visible to search engine crawlers, where it likely was archived from.
The URL in question followed a path of /accounts/(assuming account number). Typically crawlers do not index things like query parameters or authorization headers. Mullvad does not appear to be using that and uses the path as a parameter. This isn’t bad design if it’s protected, but it wasn’t.
Since they redacted all the data, it’s not known what exactly could have been taken, but my guess is:
- Basic account info, such as activity status and authorization tokens for Mullvad apps and any subscription info (if such exists)
- Port forwarding configuration (if one exists)
- WireGuard device public keys (this is not sensitive info)
- RFC1918 IP assignment (not your actual IP address)
- Maximum device limit
Because Mullvad does not store any personally identifiable information, there is no data that is of any use to an attacker other than to get free Mullvad. An oopsie to allow crawlers to index leaked account numbers? Maybe. Data leak? Not really. With that said, I am just speculating considering this report is very lackluster and Mullvad has not clarified this yet.
This is a non-story imo
Ongoing story it seems.
The API endpoint being talked about in the post/article is this endpoint: api[.]mullvad[.]net/www/accounts/ (remove the s).
You can insert your own Mullvad ID there to see what information it returns. It pretty much just returns exactly what you can see on the Mullvad app or website when you input your account number. Note that is does not return any information such as user IPs or any personal information (Mullvad of course claims they don’t store any of this, so it shouldn’t be possible in the first place).
Mullvad’s account numbers are more or less equivalent to your password, so anyone with access to the account number can do anything with your account that you are able to do.
The “leak” here is from search engines/Internet Archive crawling this endpoint, but they aren’t just randomly bruteforcing these IDs, that is entirely impracticable for the length of IDs Mullvad uses. The more likely case is these links are somehow getting indexed by crawlers some other way, either by being linked from other sites, or some kind of traffic analysis by extensions or software on a user’s PC. Lots of adware/malware like this exists that just scrapes a user’s browsing history and sells all of it to traffic analysis agencies, who then go on to sell it to search engines and the such.
Mullvad probably should have a robots.txt file for their API domain to block crawlers though, this seems like the only issue on their end. That being said, a lot of crawlers don’t even honor robots.txt these days, so they’d probably be better off just null routing any known web crawler IP ranges, usually these are published by the companies themselves.
There is an allegation of a user data leak. Some other people are coming up with (presumptive) explanations, except Mullvad. As users, don’t we deserve an explanation? Even if it is a lie, the company must say so.
It is all about trust. I am done with Mullvad.
Basically you see some random Mullvad account IDs from just certain search engine results, but yeah I guess they are donated accounts and not paid accounts.
Not worried, Mullvad knows what they are doing.
I wouldn’t say that, your account can now be sold and used by other people without you noticing. They have full access to it just like you do. It’s especially frustrating if you have a new year subscription. The lack of basic functionality in the form of a password makes it very easy.
“who is to tell if something else might have leaked”
Who´s to tell if we are even safe? Are we even real? How can we see if our eyes are ghosts?
Jan Jonsson, CEO of Mullvad VPN, wasn’t surprised to hear about the publicly exposed accounts. He said he’d personally seen pages with over 100 Mullvad VPN accounts.
“Wayback Machine indexes most of the web-sites and forums on the internet.mThere are many forums and pages that list “leaked” Mullvad accounts. Since Mullvad donates hundreds of thousands of Mullvad accounts yearly, for various reasons, to various organizations – these accounts end up at such forums/websites. This is one of several sources for “leaked accounts,” he told Cybernews via email.
He emphasized that this was not a leak. “Firstly, we do have an API with very limited functions. There is no personal information on an account, such as passwords. We do not even use passwords, a user generates just a 16 digit account number.”
So just let your current credits expire (I only keep 1-2 months credit), and when you rebuy you’ll get a new ID. Limited risk here.
Windscribe has a shitload of hacked accounts floating around. It’s probably a problem for most providers.
1-2 months is fine, but I was talking about a year. But in that case, support will probably be able to help
WindScribe has given away thousands of free accounts, I recall them giving free accounts to Iranians and then Ukrainians, but they never checked if people requesting the accounts where living there or not, hence the source of those “hacked” accounts.
WindScribe later admitted that many of their free accounts where being requested by people from other parts of the World.
Got it. But still, not sure why someone would pay for a year due there is no discount, but maybe I’m wrong. I only pay for two months at most at a time. Recently i missed refilling it, and got s totally new ID when i did.
It’s more people reselling free accounts to unaware people. There’s also people who use the same password for everything. One service takes a breach. Eventually their credentials are tested across all popular services.
Relief codes were a temp upgrade based on current events in that locale.
The scale of the issue for us is tiny in the grand scale of things. Obviously, we don’t want to see people scamming but other than reporting listings (where nothing is ever done) there’s little we can do.
Hah, for me because I’m too lazy do it every 1-2 months.
Yeah, getting a new ID is very simple and it really solves all problems with your old account
Yeah. I probably misused the word ‘hacked’. Inappropriately obtained.