Two of the seven directory authority servers that the Tor Project uses to run its anonymous browsing service have been compromised, along with a new server that the project uses to host metrics and graphs.
The project’s organizers discovered the attack earlier this month and are advising users who run Tor nodes to upgrade to a new version of the software. However, the organizers said that there is no risk that the attackers could have matched Tor users to their browsing habits.
“By design, Tor requires a majority of directory authorities (four in this case) to generate a consensus; and like other relays in the Tor network, directory authorities don’t know enough to match a user and traffic or destination,” Roger Dingledine, the original developer of the Tor Project wrote in an email this week.
“We’ve been very lucky the past few years regarding security. It still seems this breach is unrelated to Tor itself. To be clear, it doesn’t seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the cpu capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.”