I've been following this on X/Twitter and I think one of the most egregious things that's important to point out is that folks from Phrack reached out to Proton in private multiple times, and Proton ghosted them. Proton only engaged with them and then reinstated the accounts after Phrack went public and their X/Twitter post went viral.
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
The true value of a company can be measured by our ability to communicate with them. If we can't communicate except after public outrage, then what does that say about the company?
Here's a genuine question: is Proton Mail the least shitty of companies that provide email services?
I self-host email and will continue until I die. But for others who need a company to do this for them, is Proton Mail the least shitty of options? Does this change the evaluation? I'm genuinely curious about the opinion of others here.
Proton dropped from the top spot on my list of “user-first email platforms” when they announced they’ll be deleting accounts that haven’t logged into their service in some arbitrary amount of time. If I can’t rely on my email / messaging / phone / communications provider to keep an open line for as long as I need it – whether that’s one year or two years or twenty years, then I’m not going to use it. And if they require payment in exchange for providing that service, then it better accept privacy-preserving payment, but even then, I’m probably not going to use it.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
No, Proton did not knowingly block journalists’ email accounts. Our support for journalists and those working in the public interest has been demonstrated time and again through actions, not just words.
In this case, we were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.
Because of our zero-access architecture, we cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.
Our team has reviewed these cases individually to determine if any can be restored. We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.
Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.
The situation has unfortunately been blown out of proportion without giving us a fair chance to respond to the initial outreach.
I've need a paying subscriber to Proton since 2018, but I recently canceled my subscription (which ends in November). I just got fed up with the constant bugginess and jankiness of their offerings.
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
Can proton even win here? The obvious solution would be "we don't take down unless there's a court order", but then you'd get exposé pieces saying how protonmail is a den for drug dealers/pedophiles/doxxers/cyber criminals.
PSA: Proton deletes “unused” accounts after one year, and defines unused in some opaque sense where receiving but not sending emails is “unused” so I’m in a nasty position of my iCloud account being unrecoverable. Going to have to spend nontrivial time off boarding my account.
And this is why I host my own email server, even if I am not a journalist investigating governments or anything of the sort. It's a matter of control over my computing.
So, is this a case where Random Cybersecurity/Tech Group mistakes responsible disclosure for hacking, and then reported it to Proton, which took their word for it and disabled the account?
As far as I can remember, you don't even get IMAP access on the Proton free tier. For me, that's a non-starter. The privacy claims are also mostly marketing, as it is basically impossible to verify what Proton actually does when approached by a three-letter agency. I wouldn't use email anyway if I had something to hide, the email protocol wasn't designed with secrecy of communications in mind. For that, Signal seems far better, or perhaps a self-hosted, encrypted Matrix room.
It's because the journalists were covering the professor-student rape scandal at UIUC Champaign that was covered up by Champaign and other governing bodies.
Last time I checked, hacking was still a crime in most jurisdictions - even if the target is considered a geopolitical adversary. This sort of activity is also against the Proton ToS. Once KrCERT and Proton were alerted to this activity, they would have been legally obligated to act.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
I'm worried and surprised to see the many comments here that, contrary to what I'm used to reading here, nobody seems to have dug deeper, looked critically at the evidence. Quite a lot of just ad hominem and insinuations.
This looks like brigading to me. Which is the only way for govs to fight against protonmail: spreading doubt.
Hence I am reinforced to continue being a strong supporter of Proton.
Hmm going to wait and see how this plays out, maybe it's time to look at alternatives, assuming that my custom domain email isn't somehow locked to them.
From the Proton/X discussion in the Intercept article
"Big Tech CEOs are tripping over themselves to kiss the ring precisely because Trump represents an unprecedented challenge to their monopolistic dominance.”
They don't know how this is going, from what I see Trump threatens something not to change something, but to get something. If there is any anti-trust drive it's there to shake the tree, not to break up big tech. Trump loves big US corporations, like those in the 50s and 60s, those pre-Bell-breakup.
Side note regarding proton that it seems that people are mentioning the fact that ip is being tracked with user creation in proton mail?
So if someone downloads proton vpn and uses it that way, then I always considered it to be the best vpn (even better than mullvad) but I guess I was wrong...
I would still use protonvpn but I will try to migrate towards quite frankly more services from now on.. Email should just be a way to discuss what should be your matrix account or xmpp or even signal...
Another thing that I want to point out is that I had once went into network permissions etc. in proton docs and tried to write a comment and write stuff etc. and I am not sure about the writing stuff but although these do feel "encrypted" but I saw a thing in the api response when I did curl or something which showed logs so I assumed proton keeps logs..
Another problem I feel is that since proton is only encrypted via your password which you enter into the system and it seems that you can change the password if you have something like phone verification. Fundamentally something like this can only work if they have the keys, so they are having the keys to your encrypted account.
I am sure that there are ways of adding your own private key too but how many people using proton are doing that?
Fundamentally, this is how the stack will work or has to work imo. You are trusting them because of lack of conflicts. They have built their name on privacy and so everyone will leave if it they are less private but the thing is, is that they might be using some open source tech that might have an update that couldn't be audited or somehow get hacked themselves and since proton might have some juicy targets like journalists. People's lives may be on the cutting edge.
I heard this somewhere that I wish to share, you want technologically private solutions not because you don't trust someone but rather that it should remove the need of trusting in the first place. Proton hasn't / can't reach it imo.
I don't mean any hate towards proton but that was my understanding. I still use it and in fact Please let me know if I caught something wrong or what I am saying is correct. My purpose is not to spread misinformation but rather inform my opinions/correct them if I am wrong.. (I may be wrong, I usually am [my most loved line from the book how to win friends and influence people])
I feel as if we need to get things like pi etc. or whatever and atleast to me hosting something like matrix seems okay-ish I am not sure. Email just doesn't feel as if a good protocol for privacy.
Proton Mail suspended journalist accounts at request of cybersecurity agency
(theintercept.com)371 points by lehi 12 September 2025 | 210 comments
Comments
It also looks like one of the writers filed an appeal with Proton and Proton denied the appeal, so they manually investigated the incident and refused to reinstate the account and then only did after this got attention on X/Twitter.
So make no mistake about it: Proton didn't just disable the accounts after whatever CERT complained, which would have been bad enough - they also didn't do anything about it until this started getting lots of eyes on social media.
Here's a genuine question: is Proton Mail the least shitty of companies that provide email services?
I self-host email and will continue until I die. But for others who need a company to do this for them, is Proton Mail the least shitty of options? Does this change the evaluation? I'm genuinely curious about the opinion of others here.
Proton had a great thing going where their VPN service and business service funded the cost of maintaining free accounts. The fact that they chose to destroy years of trust by announcing a deletion policy, indicated to me that they no longer care about their users more than they care about running a business.
I’m not even asking for something unreasonable. It’d be one thing if they didn’t want to maintain free accounts with no activity but hundreds of gigabytes of storage. But they haven’t stratified the limit by storage usage. If you’ve got a free account consuming a few megabytes of storage, maybe an email you setup for the government service you interact with every few years… well you better make sure you remember to do the arbitrary chore of logging into that account every year, or Proton will just delete it, no questions asked.
Maybe they’ll send you some reminders if you gave them a “recovery” email, but that defeats the point of signing up to a privacy-preserving email service and calls into question the premise that they even are one.
(In related news, I need to text myself on Google Voice every few months or they’re gonna delete the number I use for 2FA on critical services… and this is an account that has $4 of credit loaded into it from ten years ago…)
Hi everyone,
No, Proton did not knowingly block journalists’ email accounts. Our support for journalists and those working in the public interest has been demonstrated time and again through actions, not just words.
In this case, we were alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled.
Because of our zero-access architecture, we cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.
Our team has reviewed these cases individually to determine if any can be restored. We have now reinstated 2 accounts, but there are other accounts we cannot reinstate due to clear ToS violations.
Regarding Phrack’s claim on contacting our legal team 8 times: this is not true. We have only received two emails to our legal team inbox, last one on Sep 6 with a 48-hour deadline. This is unrealistic for a company the size of Proton, especially since the message was sent to our legal team inbox on a Saturday, rather than through the proper customer support channels.
The situation has unfortunately been blown out of proportion without giving us a fair chance to respond to the initial outreach.
Thank you for your understanding, The Proton Team
Any suggestions for mail hosting and VPN? I hear good things about Fastmail and mailbox.org (I see they very recently rebranded to just mailbox and revamped their offering).
Also, I've been a heavy user of the SimpleLogin alias service. Any suggestions for easily porting all those accounts to a new provider? Manually changing each and every account to a new email seems painful.
I’d like more details about the initial CERT contact if anyone knows anything
While I like the idea of a safe and uncompromising service, proton seems less so now.
If this would be the case they would not be approved by any payment providers at all.
On top of that, add the possibility that hosting companies and upstream network peers would shut them down.
That's not to say I feel any sympathy to the target - who by all counts has done a fair bit of damage. But this sort of hacktivism / vigilantism simply isn't helpful. There's a high likelihood that one or more nation states / law enforcement agencies may have had active operations directed against this threat actor derailed by such activity.
tl;dr - If you're going to conduct such activities, practice proper OPSEC. And don't let your desire for attention / recognition take priority over staying on the right side of the law.
This looks like brigading to me. Which is the only way for govs to fight against protonmail: spreading doubt.
Hence I am reinforced to continue being a strong supporter of Proton.
"Big Tech CEOs are tripping over themselves to kiss the ring precisely because Trump represents an unprecedented challenge to their monopolistic dominance.”
They don't know how this is going, from what I see Trump threatens something not to change something, but to get something. If there is any anti-trust drive it's there to shake the tree, not to break up big tech. Trump loves big US corporations, like those in the 50s and 60s, those pre-Bell-breakup.
Just a warning
So if someone downloads proton vpn and uses it that way, then I always considered it to be the best vpn (even better than mullvad) but I guess I was wrong...
I would still use protonvpn but I will try to migrate towards quite frankly more services from now on.. Email should just be a way to discuss what should be your matrix account or xmpp or even signal...
Another thing that I want to point out is that I had once went into network permissions etc. in proton docs and tried to write a comment and write stuff etc. and I am not sure about the writing stuff but although these do feel "encrypted" but I saw a thing in the api response when I did curl or something which showed logs so I assumed proton keeps logs..
Another problem I feel is that since proton is only encrypted via your password which you enter into the system and it seems that you can change the password if you have something like phone verification. Fundamentally something like this can only work if they have the keys, so they are having the keys to your encrypted account. I am sure that there are ways of adding your own private key too but how many people using proton are doing that?
Fundamentally, this is how the stack will work or has to work imo. You are trusting them because of lack of conflicts. They have built their name on privacy and so everyone will leave if it they are less private but the thing is, is that they might be using some open source tech that might have an update that couldn't be audited or somehow get hacked themselves and since proton might have some juicy targets like journalists. People's lives may be on the cutting edge.
I heard this somewhere that I wish to share, you want technologically private solutions not because you don't trust someone but rather that it should remove the need of trusting in the first place. Proton hasn't / can't reach it imo.
I don't mean any hate towards proton but that was my understanding. I still use it and in fact Please let me know if I caught something wrong or what I am saying is correct. My purpose is not to spread misinformation but rather inform my opinions/correct them if I am wrong.. (I may be wrong, I usually am [my most loved line from the book how to win friends and influence people])
I feel as if we need to get things like pi etc. or whatever and atleast to me hosting something like matrix seems okay-ish I am not sure. Email just doesn't feel as if a good protocol for privacy.