Dialog Claims It Was Hacked. A Misconfigured Website Left Its Members Exposed | WIRED

Overview

Dialog Claims It Was Hacked. A Misconfigured Website Left Its Members Exposed

Dialog, the invite-only group cofounded by Peter Thiel, notified members and past event participants last week that a database containing their personal information had been breached, supposedly by a criminal hacker. But a WIRED analysis found that the files were readable to anyone who visited a landing page for the group’s app—what cybersecurity experts describe as a misconfiguration that effectively made the data publicly accessible.

Details

The notification to people affected by the data exposure, emailed by Dialog managing director Juliette Levine and provided to WIRED, said that forensic investigators found that the names of 113 past participants in Dialog events had been exposed and, separately, “some” people registered for this summer's Dialog retreat had their information accessed. Levine said the organization had temporarily closed many of its systems in response.

The exposure, Levine alleged, “was a hack executed by a well-known criminal who is wanted in the United States,” adding that the group had acted “out of caution” to protect “the safety, privacy, and reputation of every Dialoger past and present.”

Multiple reviews of the site's publicly accessible architecture, though, point to a misconfiguration, not a break-in.

WIRED first reported on the Dialog records last week. They include the list of 113 names that Dialog confirmed to be past participants in its breach disclosure—among them a sitting NATO commander, two US senators, and the US treasury secretary—as well as a separate, longer list of people registered for an August retreat outside Dublin, Ireland. WIRED also reported on records that revealed how the group privately scores attendees, weighing their wealth and prominence in decisions about admission, seating, and pricing.

Do you have information about Dialog you'd like to share? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at dell.3030 and dmehro.89.

In a statement to WIRED, Fillout says it was “not aware of any compromise of Fillout systems or active platform vulnerability.” The company says customers configure their own forms, connected data sources, and workflows, and that “the behavior of a given form depends on that configuration.” Fillout declined to comment on any specific customer's forms or records.

Dialog, which did not respond to requests for comment, had outside counsel send a letter this weekend demanding WIRED hand over a copy of the data it had received. The letter, signed by partner D. Reed Freeman at the law firm Arent Fox Schiff, characterizes the breach as a “cyberattack” by a “known cybercriminal,” argues the files were “stolen,” and says Dialog has also reported the incident to law enforcement. WIRED has not provided Dialog or its attorneys with any data.

The exposure first came to light after maia arson crimew—a Swiss journalist and cybersecurity researcher who was indicted in the US in 2021 on hacking-related charges but has not been convicted of any crimes—received tips from two sources, she says. One had been reviewing US Department of Justice records related to Jeffrey Epstein when they noticed Dialog’s name on an invitation sent to a third party in 2012, which had been forwarded to the infamous sex offender, and grew curious about the secretive group. A second source later pointed crimew to the retreat app.

crimew says she neither exploited a software flaw nor bypassed any security measures to access the Dialog data, and viewed the same records that were available to every visitor’s browser.

Nicholas Weaver, a member of the nonprofit International Computer Science Institute's network security team, says the exposure bears the hallmarks of a web design error rather than a sophisticated intrusion. “This is negligence and a not-actually-unheard-of anti-pattern,” Weaver says, referring to a common but avoidable mistake.

Aaron Mackey, deputy legal director at the Electronic Frontier Foundation, a digital rights nonprofit, says that based on what’s publicly known about outside access to Dialog data, characterizing the activity as “criminal” appears “far-fetched.” He warns that broad computer-crime laws are sometimes invoked to chill security research, journalism, and other First Amendment–protected activity.

Based on the available details, Mackey says, the incident involved Dialog’s website giving data to people who had entered an email address on the site, rather than anyone bypassing a technical control to gain access. “In that circumstance, they've done nothing more than follow a link on a website,” he says.

The Dialog exposure set off a public scramble among prominent attendees to explain their presence on the list. Ezra Klein, the New York Times columnist, wrote on X that he had attended Dialog twice, in 2018 and 2022, but did not see or speak with Peter Thiel and noted that the people named in his statement “do not trust each other and do not have aligned agendas.” Actor Joseph Gordon-Levitt said on Instagram that he had been to two conferences but had never met or spoken with Thiel, whom he described as his political and ideological opposite. Actress Sophia Bush, who has campaigned against deepfake technology, said she had attended to push back on AI hype and was surprised to learn the group was cofounded by someone “you could not pay me to be in a room with.”

In your inbox: Brian Kahn’s guide to how the universe works

Meta added face recognition—and deleted it after a WIRED report

Big Story: Jeff Bezos’ hunt for the brain’s ‘core algorithm’

El Niño is here to turn the world’s weather upside down

WIRED event: Pepsi Co’s once-in-a-generation transformation

Key Takeaways

Dialog Claims It Was Hacked
Dialog, the invite-only group cofounded by Peter Thiel, notified members and past event participants last week that a database containing their personal information had been breached, supposedly by a criminal hacker
The notification to people affected by the data exposure, emailed by Dialog managing director Juliette Levine and provided to WIRED, said that forensic investigators found that the names of 113 past participants in Dialog events had been exposed and, separately, “some” people registered for this summer's Dialog retreat had their information accessed
The exposure, Levine alleged, “was a hack executed by a well-known criminal who is wanted in the United States,” adding that the group had acted “out of caution” to protect “the safety, privacy, and reputation of every Dialoger past and present
Multiple reviews of the site's publicly accessible architecture, though, point to a misconfiguration, not a break-in