We are aware of a small number of ProtonMail accounts which have been compromised as a result of those individual users falling for phishing attacks (this is why we encourage using 2FA). We only use web servers that we operate and control ourselves, specifically to eliminate this potential attack vector. None of the claim made are true, and many of the claims are also unsound from a technical standpoint.įor instance, the criminals claim that ProtonMail is vulnerable because we do not use SRI (Subresource Integrity), but this claim is nonsense because ProtonMail doesn't use any third party CDNs (content delivery networks) to serve our web app. Thus, we believe that this is a hoax and failed extortion attempt, and there is zero evidence to suggest otherwise. The lack of evidence strongly suggests there is no breach, and this is a simple case of online extortion. On the other hand, a breach can be easily proven by providing evidence. Like any good conspiracy theory, it is impossible to disprove a breach. We have no indications of any breach from our internal infrastructure monitoring. An internal investigation turned up two messages from the criminals involved, which again repeated the allegations with zero evidence, and demanded payment. As many of you may be aware, earlier today, criminals attempted to extort ProtonMail by alleging a data breach, with zero evidence.