Reuters reports that Tor, an anonymization network for online activities, told users that it had been attacked:
Tor, the prominent system for protecting Internet privacy, said on Wednesday many of its users trying to reach hidden sites might have been identified by government-funded researchers.
In a note on the nonprofit’s website, Tor Project leader Roger Dingledine said the service had identified computers on its network that had been quietly altering Tor traffic for five months in an attempt to unmask users connecting to what are known as “hidden services.”
Dingledine said it was “likely” the attacking computers, which were removed on July 4, were operated on behalf of two researchers at the Software Engineering Institute, which is housed at Carnegie-Mellon University, but funded mainly by the U.S. Department of Defense.
The pair had been scheduled to speak on identifying Tor users at the Black Hat security conference next month. After Tor developers complained to Carnegie-Mellon, officials there said the research had not been cleared and canceled the talk.
Previous reports on the research had already raised alarms among privacy activists. Dingledine went further, warning on Wednesday that “users who operated or accessed hidden services from early February through July 4 should assume they were affected.” […]
It remains uncertain how much data the researchers were able to collect and what will happen to that information, which would be of interest to intelligence agencies and law enforcement. […]
Dingledine advised users to upgrade to the latest version of its software, which addresses the vulnerability that was exploited. He cautioned that attempts to break Tor were likely to continue.