What will Mullvad do if it experiences a data breach?

If all of Mullvad’s account numbers (which act as both username and password for the service, and are stored in plain text) are publicized somehow, there won’t be too much fallout in terms of personal data compromise, but it would put Mullvad in an untenable situation:

  • They can’t just change all the account numbers because they’re the main login method; only if the last payment was made using cash, crypto or a voucher and was over 40 days ago
  • They have no mechanism for transferring time to another account either, besides contacting support

If you bought of a lot of time on Mullvad at once–quite likely if you did so using cash or crypto–you’ll be competing with people who have the data breach to use the VPN you paid for until your time runs out and you can make a new account.

Why is this a bad look? Calm down.

There’s no need to feel obligated to quickly respond to very unlikely what-if scenarios, or respond at all really. Please be respectful of people’s time. There’s also no need to ping ruihildt who’s on the browser team. (Although it’d be nice if someone from their VPN product was around.)

There are plenty of ways Mullvad could deal with this problem. I wouldn’t know what they’d do specifically, but I’m fairly confident that no matter what they do the outcome for you, the user, would be perfectly acceptable.

13 Likes

I’d never considered this question before, and now I’m rather curious.


Radio silence. This is a bad look

We are a relatively small forum, expecting companies or developers to promptly respond to any hypothetical question posed on any unofficial public space seems unrealistic (and equally importantly, demanding immediancy, being overly negative, or @'ing developers or reps every time there is a question or concern, is likely to cause burnout, and disincentivize developer/vendor participation on forums like ours and other unofficial spaces).

I think your first recommendation was correct:

Have you contacted Mullvad and asked? support@mullvadvpn.net

6 Likes

I just wanted to say that there are actually cases where some Mullvad account numbers have been “leaked” in hacking forums such as breachforums (Yes, this site is still alive). I don’t know the veracity of these numbers and I haven’t tested them, so it’s possible that they just assembled 16 numbers and then published them. I really think these account numbers are “unchecked”, meaning that the cybercriminal posting them haven’t checked them to see if they work. I tested at least 2 and they didn’t worked. I guess it was like…x25 numbers or x50 idk.

If you want me to provide screenshots of these hacking posts, I can’t because I’m actually on vacation and haven’t picked up my PC with me. When I get back home I can provide them if you want.

Indeed, I will most probably not talk about anything outside Mullvad Browser.

We’re well aware of the implications of using a random account number as username and password. What I can assure you is that the priority is always on never leaking user’s personal data.

As said previously by someone else, if you want to have details about how we store account numbers, you’re welcome to contact support@mullvadvpn.net and report the answer.

5 Likes