“We can disclose only now that we had a server in Toronto seized in 2015, initially without our knowledge. Maybe a court order was served to the datacenter. For about 10 days we did not understand what happened to the server, which did not respond, while the datacenter did not provide information. After 10 days Italian police (and not any magistrate) contacted us. They informed us that Toronto police and FBI (*) asked for our help because they could not find any log in the server. Unfortunately their help request came after the server had been already seized. They did not even make a copy, they took it physically, therefore the server went offline, probably alerting the alleged criminals. It was obvious that forensic analysis could not find any log, simply because there were none. Our VPN servers did not even store the client certificates, go figure (now they also run in RAM disks, but in 2015 they did not). The whole matter was led by informing us without any document from any court or magistrate, but only through official and informal police communications, and only to ask for help after forensic analysis obviously failed completely.
We were not asked to keep confidentiality on the matter, but just to stay on the safe side and support the investigation on what it appeared as a serious crime (a whole database with personal information of a commercial service was cracked, stolen and published in public when the web site owners did not pay a “ransom”; while our server was apparently not used for the crack, it was used to upload elsewhere the database) we decided not to disclose the whole matter for at least 7 years. It’s one of those cases confirming that our servers do not store log, data or metadata of clients’ traffic.
(*) We may speculate that FBI was involved in a Canadian matter because the stolen database contained US citizens’ personal data”
AProfessional@lemmy.world 1 year ago
Such a strange comment.
Surely they kept it private because it’s bad for business. Then they randomly respond with this on a forum post?
crawley@lemmy.world 1 year ago
I dunno, if my VPN came out and said “heads up, one of our servers was seized and you have literally nothing to worry about because nothing is stored or logged on our servers,” that’s good news IMO. Obviously the best case scenario is not having it seized, but sometimes that’s not possible, and it’s a mark of a good VPN when the consequences to you of a server being seized are the same as if it wasn’t (i.e., none).
Imprint9816@lemmy.dbzer0.com 1 year ago
Yeah disclosure is alwaysbgood its just odd the way the handled it
-no official post -makes the announcement as a reply to a forum post (which came off like they werent even planning to disclose at all) -all of a sudden has a 7 year wait time on disclosures -not written super prpfessionally (i tend to assume english is a 2nd language for the staff but still as an orginization the staff should be a bit more refined).
AProfessional@lemmy.world 1 year ago
I agree, if they said this 7 years ago…
Imprint9816@lemmy.dbzer0.com 1 year ago
Yeah the whole thing is odd, especially since they disclosed it as a response instead of in the disclosure thread the first comment mentioned.