Private Internet Access Transparency Report Q4 2025
We publish transparency reports to show how often authorities come looking for user data, and what happens when they do.
Between October and December 2025, our legal team received a small number of requests from U.S. and international authorities. These included subpoenas, warrants, other government or civil requests, and informal foreign inquiries. As in every previous quarter, none resulted in the disclosure of user data. PIA does not log user activity, so there was nothing to hand over.
This quarter, we continued using the simplified reporting structure introduced earlier in the year. Requests that aren’t subpoenas or warrants are grouped together for clarity, while foreign and informal requests are listed separately to reflect their different legal standing under U.S. law.
A summary of the requests received this quarter appears below. You can also read more on our dedicated Transparency Report page.
PIA’s Q4 2025 Transparency Report
Before we get into the numbers, here’s a quick look at the types of legal notices we track:
Here’s a breakdown of the legal notices we received during Q4 2025. .
| Legal Processes | Received | Logs Produced |
| Subpoenas | 7 | 0 |
| Warrants | 1 | 0 |
| Other Government, law enforcement, and civil requests | 10 | 0 |
| Foreign and informal requests | 12 | 0 |
Legal request volume increased this quarter compared to the previous reporting period. Between October and December, PIA received 30 requests in total, up from 19 in Q3. Subpoenas remained the most common request type, though they declined slightly. The increase came primarily from other government and civil requests, along with a rise in foreign and informal inquiries. We also received a single warrant during the quarter.
Despite the broader mix of requests, the outcome didn’t change. None resulted in the disclosure of user data. PIA’s systems do not retain activity logs, so there was no information available to produce.
Spotlight: PIA Completes Third Deloitte Audit
This quarter, we reaffirmed our commitment to privacy by completing our third independent audit carried out by Deloitte Audit Romania.
Conducted under the International Standard on Assurance Engagements (ISAE) 3000 (Revised), this audit examined our VPN configuration, management systems, and token-based dedicated IP technology.
The audit verified that our server configurations align with our internal privacy policies. It serves as independent validation that our no-logs policy isn’t an engineered reality.
Read the full Audit Announcement
Q4 Bug Bounty Activity
PIA’s bug bounty program continued to provide targeted external testing during the quarter.
Between October and December, we received 14 submissions, 13 of them unique. One report was identified as a valid security issue and addressed. The remaining submissions were false positives and didn’t expose exploitable weaknesses.
Compared to the previous quarter, overall submission volume was lower, but confirmed findings were more concentrated. That reflects the kind of scrutiny the program is designed to encourage: focused testing in areas that matter, with a clear signal when an issue needs attention.
What shaped online security in the U.S. in Q4 2025
Transparency also means paying attention to how privacy and security hold up across the wider internet. In Q4, a series of incidents highlighted how easily large systems can expose sensitive data, whether through unpatched software, misconfigured services, or delayed disclosure.
Extortion activity continues long after major enterprise breaches
In Q4 and early 2026, companies affected by the Oracle E-Business Suite breach continued to report ransom and data exposure demands tied to an incident first disclosed in October. More than 100 organizations, including universities and major firms, faced ongoing extortion attempts as attackers threatened to make stolen personal and financial information public. The persistence of this campaign highlights how breaches can have a long tail of impact on affected users and enterprises.
Underground hacking forums exposed by a data leak
A significant data release impacted BreachForums, a well-known underground hacking community, when an archive containing approximately 324,000 user records was published in early January. The leaked information included usernames, registration dates, and potentially identifiable public IP addresses for tens of thousands of accounts. The incident underscores that even communities built around cybercrime aren’t immune to exposure, and that leaked underground data can itself become an intelligence source for defenders.
Massive automated attacks against misconfigured AI infrastructure
Between October 2025 and January 2026, researchers observed over 91,000 attack attempts targeting misconfigured proxies for large language model services. These campaigns probed exposed AI endpoints to map accessible models and exploit insecure configurations, demonstrating how attackers are shifting some focus toward AI infrastructure and tooling that lack proper isolation and access controls.
Credential abuse overtook malware as a leading cause of breaches
Security reporting in late 2025 showed that stolen credentials and account takeovers were responsible for a growing share of security incidents in the US, overtaking malware in many environments. Industry analyses pointed to password reuse, phishing kits, and MFA fatigue attacks as key drivers, particularly against cloud services and remote access systems. Rather than exploiting software flaws, attackers increasingly relied on legitimate credentials to move quietly through systems designed to trust logged-in users.
