[varispeed]

Can you guess someone else's account id or sort of brute force to find valid ids and then run malicious searches against them?

Seems like a security risk.

[galleywest200]

I would bet money that Mullvad heavily rate limits incorrect ID entries. Also its a 16 digit number, good luck.

[gizzlon]

Is it the full account number? Good luck guessing that :P

If so it's like 16 digits. Isn't that 10^16 values? If they had 1 million users, that's still a lot of numbers to test before you find 1 valid one :)

I suck at math, but that's like 999999999 non-existing accounts per valid account? (10^16 - 10^6 - 1)

[YellowSuB]

Well if that is 1 million active users I would bet that there are still many more 'used' keys, myself being a Mullvad user have used about four different accounts, since you can just generate a new one. I don't know if this really makes a difference though

[piaste]

The mullvad "account number" is not a user id, it's a 16-number secret key. If you have that, you have the account.