Tor Project suffers hack attack

The Tor Project, a service that provides privacy and anonymity to Web users, said hackers broke into two of its servers and used the CPU and bandwidth to launch additional attacks.

Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.

Dingledine writes:

We took the services offline as soon as we learned of the breach. It appears the attackers didn't realize what they broke into -- just that they had found some servers with lots of bandwidth. The attackers set up some ssh keys and proceeded to use the three servers for launching other attacks. We've done some preliminary comparisons, and it looks like git and svn were not touched in any way.

We've been very lucky the past few years regarding security. It still seems this breach is unrelated to Tor itself. To be clear, it doesn't seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the CPU capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.

The attackers did not meddle with the Tor source code, he said.  "We made fresh identity keys for the two directory authorities, which is why you need to upgrade," Dingledine added.

Users are strongly encouraged to upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha.

ALSO SEE:

• Hacker builds tracking system to nab Tor pedophiles
• Critical security alert issued for Tor