We’ve been hacked.
Early Saturday morning Dispatch machines were the latest of a string of machines at Stanford to be targeted by external hackers. The machines were compromised for approximately 30 hours before being dismantled.
We’ve taken these systems down and have temporarily disabled Dispatch while we clean the machines and investigate what happened. Within a few days we should issue new secret keys and have the app up and running again.
- Two important parts of our system were compromised: the server in charge of issuing keys and the message router, which contains encrypted messages linked to hashed identities
- We’ve disabled both and will be issuing new keys before reenabling Dispatch
- The machines appear to have been targeted in an attempt to reach other Stanford machines, not because they were being used to support Dispatch
What does this mean?
- Any messages that are on your device were not on the router, which only contained undelivered encrypted messages
- If you used a throw-away anonymous email address to sign up for Dispatch, your identity was not compromised
No users appear to have been hurt in this breach, but we are committed to taking every step possible to preventing a similar compromise in the future.
A key part of our mission at Dispatch is to promote free and open discourse. In that spirit, we’ll be posting a more detailed update once we’ve analyzed the attack further. In the meantime we welcome any feedback, comments or questions – you can reach us at dispatch lists (at)cs.columbia.edu