From the Wall St. Journal:
Tor, a service used to cloak the identity of Internet users, says outsiders breached its network and tried to learn the identities of some users earlier this year.
The service says the attack was likely the work of researchers at Carnegie-Mellon University, who had planned to demonstrate a Tor hack at a conference next week. The talk was cancelled last week.
A Carnegie-Mellon spokesman said, “We don’t have anything to add.” The researchers couldn’t be reached for comment. Carnegie-Mellon lawyers previously said the research project wasn’t yet cleared for public release.
From the Tor Blog:
Unfortunately, it’s still unclear what “affected” includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don’t know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.
Read the Complete Blog Post