Dialog, the invite-only group cofounded by
Peter Thiel, notified members and past event participants last week that a database containing their personal information had been breached, supposedly by a criminal hacker. But a WIRED analysis found that the files were readable to anyone who visited a landing page for the group’s app—what cybersecurity experts describe as a misconfiguration that effectively made the data publicly accessible.
The notification to people affected by the data exposure, emailed by Dialog managing director Juliette Levine and provided to WIRED, said that forensic investigators found that the names of 113 past participants in Dialog events had been exposed and, separately, “some” people registered for this summer's Dialog retreat had their information accessed. Levine said the organization had temporarily closed many of its systems in response.
The exposure, Levine alleged, “was a hack executed by a well-known criminal who is wanted in the United States,” adding that the group had acted “out of caution” to protect “the safety, privacy, and reputation of every Dialoger past and present.”
Multiple reviews of the site's publicly accessible architecture, though, point to a misconfiguration, not a break-in.
WIRED
first reported on the Dialog records last week. They include the list of 113 names that Dialog confirmed to be past participants in its breach disclosure—among them a sitting NATO commander, two US senators, and the US treasury secretary—as well as a separate, longer list of people registered for an August retreat outside Dublin, Ireland. WIRED also reported on records that revealed how the group privately scores attendees, weighing their wealth and prominence in decisions about admission, seating, and pricing.
A Dialog site, set up to distribute a phone app for the August gathering, let any visitor sign up using any email address. It did not request a password. After submitting an email, the visitor was taken to a near-empty holding page; the same page also loaded the internal files on some 200 people into their browser. Viewing the files required little more than inspecting the page with tools built into every major internet browser.
The records made accessible by this process include senior figures in national security and technology, both current and former. Among those whom records showed as being registered for the upcoming Dialog event were NATO officials; a current White House intelligence official; a retired general who held a senior role in US intelligence; and the heads of national security policy and partnerships at two leading AI firms. Other figures included a former British security minister, a former Japanese defense minister, and a former Pakistani diplomat. For nearly all, the exposed data is comprehensive, from private contact information to active login tokens.
The records also contained participant lists, schedules, and links to completed questionnaires hosted by Fillout, a service Dialog used to collect information from attendees and store it in Airtable databases. Loading one of those forms returned far more information than the Dialog page itself contained, including dates of birth, emergency contacts, cell phone numbers, the political leanings Dialog assigns to its members, internal rankings and grading notes, and the digital keys that serve as members' logins. Much of that information appeared to come directly from Dialog's Airtable records.
Airtable did not respond to requests for comment.
|Got a Tip?
|Do you have information about Dialog you'd like to share? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at dell.3030 and dmehro.89.
In a statement to WIRED, Fillout says it was “not aware of any compromise of Fillout systems or active platform vulnerability.” The company says customers configure their own forms, connected data sources, and workflows, and that “the behavior of a given form depends on that configuration.” Fillout declined to comment on any specific customer's forms or records.
Dialog, which did not respond to requests for comment, had outside counsel send a letter this weekend demanding WIRED hand over a copy of the data it had received. The letter, signed by partner D. Reed Freeman at the law firm ArentFox Schiff, characterizes the breach as a “cyberattack” by a “known cybercriminal,” argues the files were “stolen,” and says Dialog has also reported the incident to law enforcement. WIRED has not provided Dialog or its attorneys with any data.
The exposure first came to light after maia arson crimew—a Swiss journalist and cybersecurity researcher who was indicted in the US in 2021 on hacking-related charges but has not been convicted of any crimes—received tips from two sources, she says. One had been reviewing US Department of Justice records related to Jeffrey Epstein when they noticed Dialog’s name on an invitation sent to a third party in 2012, which had been forwarded to the infamous sex offender, and grew curious about the secretive group. A second source later pointed crimew to the retreat app.
crimew says she neither exploited a software flaw nor bypassed any security measures to access the Dialog data, and viewed the same records that were available to every visitor’s browser.
Nicholas Weaver, a member of the nonprofit International Computer Science Institute's network security team, says the exposure bears the hallmarks of a web design error rather than a sophisticated intrusion. “This is negligence and a not-actually-unheard-of anti-pattern,” Weaver says, referring to a common but avoidable mistake.
Aaron Mackey, deputy legal director at the Electronic Frontier Foundation, a digital rights nonprofit, says that based on what’s publicly known about outside access to Dialog data, characterizing the activity as “criminal” appears “far-fetched.” He warns that broad computer-crime laws are sometimes invoked to chill security research, journalism, and other First Amendment–protected activity.
Based on the available details, Mackey says, the incident involved Dialog’s website giving data to people who had entered an email address on the site, rather than anyone bypassing a technical control to gain access. “In that circumstance, they've done nothing more than follow a link on a website,” he says.
The Dialog exposure set off a public scramble among prominent attendees to explain their presence on the list. Ezra Klein, the New York Times columnist,
wrote on X that he had attended Dialog twice, in 2018 and 2022, but did not see or speak with Peter Thiel and noted that the people named in his statement “do not trust each other and do not have aligned agendas.” Actor Joseph Gordon-Levitt said on Instagram that he had been to two conferences but had never met or spoken with Thiel, whom he described as his political and ideological opposite. Actress Sophia Bush, who has campaigned against deepfake technology, said she had attended to push back on AI hype and was surprised to learn the group was cofounded by someone “you could not pay me to be in a room with.”
<small>Source: Wired</small>
