Some organizations exist to be exclusive. They’re invite-only, and discreet, the kind of place where the membership directory is the product.
Dialog, the exclusive network founded by billionaire investor and PayPal co-founder Peter Thiel, whose members include a sitting NATO commander, two US senators, and the US Treasury Secretary, is one of those.
Last week, information on hundreds of those members was sitting in plaintext on its app distribution site, visible to anyone who knew how to right-click. Then Dialog said it had been hacked.
A signup page that led straight to members’ files
The site was set up to distribute a phone app to support an upcoming gathering for the network, which arranges high-end get-togethers. Any visitor could sign up using any email address. It did not request a password.
After submitting an email, the visitor landed on a near-empty holding page that reportedly loaded internal files on roughly 200 high-profile people directly into their browser. They were visible using “tools built into every major browser,” which appears to refer to the browser’s built-in developer tools.
Those files were not minimal. Loading the questionnaire forms returned dates of birth, emergency contacts, cell phone numbers, the political leanings Dialog assigns to its members, internal rankings and grading notes, and the digital keys that serve as members’ logins. For nearly all of them, the exposed data was comprehensive, from private contact information through to active login tokens.
The records also included a current White House intelligence official, a retired general who held a senior role in US intelligence, and the heads of national security policy at two leading AI firms. Dialog also privately scores attendees, weighing their wealth and prominence in decisions about admission, seating, and pricing. Those scores were among the things sitting in the public HTML.
Dialog on the defensive
Dialog’s managing director described the access as a hack
“executed by a well-known criminal who is wanted in the United States.”
WIRED, which broke the story, found no evidence that any break-in was required. In fact, it seems to have involved little more than clicking on a link on a web page.
The forms were built using Fillout, a popular online form builder. The data was stored in Airtable, a widely used cloud database platform. Fillout said it was unaware of any compromise to its own systems and noted that customers are responsible for configuring their forms, connected data sources, and workflows.
Dialog has not said when the misconfigured page first went live, meaning members’ data could have been openly accessible for an indeterminate period before it was discovered.
Security misconfiguration now ranks #2 on the OWASP Top 10 for 2025, which is an industry list of the top application security risks. It has risen from #5 in 2021. The category accounts for more than 719,000 of documented security weaknesses.
The fix is also routine: build systems with only the features you need, and configure them securely.
What this means for the rest of us
How organizations describe incidents matters beyond a single breach. If simply accessing publicly available information is routinely labeled a “hack,” security researchers may become more reluctant to investigate and responsibly disclose exposed systems, leaving misconfigurations undiscovered for longer.
For end users, the lesson is older than the internet. If an organization collects your date of birth, your emergency contacts, and a private score of how much you’re worth to them, ask where that data lives. Any answer involving “our website” deserves a second question, and anything that stops at “we take your security very seriously” deserves further questioning.
