Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.
We took the services offline as soon as we learned of the breach. It appears the attackers didn't realize what they broke into -- just that they had found some servers with lots of bandwidth. The attackers set up some ssh keys and proceeded to use the three servers for launching other attacks. We've done some preliminary comparisons, and it looks like git and svn were not touched in any way.
We've been very lucky the past few years regarding security. It still seems this breach is unrelated to Tor itself. To be clear, it doesn't seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the CPU capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.
The attackers did not meddle with the Tor source code, he said. "We made fresh identity keys for the two directory authorities, which is why you need to upgrade," Dingledine added.
Users are strongly encouraged to upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha.