Dialog, the invite-only group cofounded by Peter Thiel, notified members and past event participants last week that a database containing their personal information had been breached, supposedly by a criminal hacker. But a WIRED analysis found that the files were readable to anyone who visited a landing page for the group’s app—what cybersecurity experts describe as a misconfiguration that effectively made the data publicly accessible.
The notification to people affected by the data exposure, emailed by Dialog managing director Juliette Levine and provided to WIRED, said that forensic investigators found that the names of 113 past participants in Dialog events had been exposed and, separately, “some” people registered for this summer’s Dialog retreat had their information accessed. Levine said the organization had temporarily closed many of its systems in response.
The exposure, Levine alleged, “was a hack executed by a well-known criminal who is wanted in the United States,” adding that the group had acted “out of caution” to protect “the safety, privacy, and reputation of every Dialoger past and present.”
Multiple reviews of the site’s publicly accessible architecture, though, point to a misconfiguration, not a break-in.
WIRED first reported on the Dialog records last week. They include the list of 113 names that Dialog confirmed to be past participants in its breach disclosure—among them a sitting NATO commander, two US senators, and the US treasury secretary—as well as a separate, longer list of people registered for an August retreat outside Dublin, Ireland. WIRED also reported on records that revealed how the group privately scores attendees, weighing their wealth and prominence in decisions about admission, seating, and pricing.
A Dialog site, set up to distribute a phone app for the August gathering, let any visitor sign up using any email address. It did not request a password. After submitting an email, the visitor was taken to a near-empty holding page; the same page also loaded the internal files on some 200 people into their browser. Viewing the files required little more than inspecting the page with tools built into every major internet browser.
The records made accessible by this process include senior figures in national security and technology, both current and former. Among those whom records showed as being registered for the upcoming Dialog event were NATO officials; a current White House intelligence official; a retired general who held a senior role in US intelligence; and the heads of national security policy and partnerships at two leading AI firms. Other figures included a former British security minister, a former Japanese defense minister, and a former Pakistani diplomat. For nearly all, the exposed data is comprehensive, from private contact information to active login tokens.
The records also contained participant lists, schedules, and links to completed questionnaires hosted by Fillout, a service Dialog used to collect information from attendees and store it in Airtable databases. Loading one of those forms returned far more information than the Dialog page itself contained, including dates of birth, emergency contacts, cell phone numbers, the political leanings Dialog assigns to its members, internal rankings and grading notes, and the digital keys that serve as members’ logins. Much of that information appeared to come directly from Dialog’s Airtable records.
Airtable did not respond to requests for comment.
In a statement to WIRED, Fillout says it was “not aware of any compromise of Fillout systems or active platform vulnerability.” The company says customers configure their own forms, connected data sources, and workflows, and that “the behavior of a given form depends on that configuration.” Fillout declined to comment on any specific customer’s forms or records.
