The vulnerability was discovered by a cyber intelligence and hacking group called ZATAZ. Mullvad VPN's API offers access to user information, something called “account_id,” which Mullvad uses instead of actual usernames, emails, and passwords. These “account_ids” are comprised of only a few digits, meaning that it’s easy to use brute force attacks and get private information from the API without any authentication.<p>This could potentially be a serious issue; however, it’s unclear whether any actual user information (such as an IP address) can be exposed this way. Mullvad has already fixed this security flaw, but there hasn’t been any official statement from the company: nothing on their official webpage or replies to worried Twtter users.<p>This is probably the most worrying part: VPNs are all about privacy and trust in the VPN service provider: if Mullvad avoids being transparent here, this is a serious hit to their credibility.<p>Source (<a href="https://www.zataz.com/vpn-mullvad-corrige-une-fuite-decouverte-par-zataz/" rel="nofollow noreferrer">https://www.zataz.com/vpn-mullvad-corrige-une-fuite-decouver...</a>)
The link seems to go to a login page, but <a href="https://old.reddit.com/r/vpnreviews/comments/16u7b6m/swedenbased_vpn_provider_mullvad_was_found_to/" rel="nofollow noreferrer">https://old.reddit.com/r/vpnreviews/comments/16u7b6m/swedenb...</a> is what it should be pointing at, which is a translation from French of <a href="https://www.zataz.com/vpn-mullvad-corrige-une-fuite-decouverte-par-zataz/" rel="nofollow noreferrer">https://www.zataz.com/vpn-mullvad-corrige-une-fuite-decouver...</a>, which is light on details, but between the two it implies that that account IDs were linkable to web address visits and times until the API was closed.