The group behind Internet-anonymity software Tor has said many of its users may have been identified by government-funded researchers.
In a note on the non-profit's website, Tor Project leader Roger Dingledine said the service had identified computers on its network that had been quietly altering Tor traffic for five months in an attempt to unmask users connecting to what are known as "hidden services".
Dingledine said it was "likely" the attacking computers, which were removed on July 4, were operated on behalf of two researchers at the Software Engineering Institute, which is housed at Carnegie-Mellon University, but funded mainly by the US Department of Defense.
The pair had been scheduled to speak on identifying Tor users at the Black Hat security conference next month, but after Tor developers complained to Carnegie-Mellon, officials there said the research had not been cleared and cancelled the talk.
Tor is an anonymity tool designed to protect the identity of Internet users using a technique known as onion routing that anonymises web traffic by encrypting and then randomly bouncing communications through a network of relays run by volunteers, preventing eavesdroppers from being able to track user behaviour.
Dingledine warned yesterday that "users who operated or accessed hidden services from early February through July 4 should assume they were affected", though those navigating to ordinary websites should be in the clear.
He also advised users to upgrade to the latest version of its software, which addresses the vulnerability that was exploited, but cautioned that attempts to crack Tor were likely to continue.
It remains unclear how much data the researchers were able to collect and what will happen to that information, which would be of interest to intelligence agencies and law enforcement as the service is used by human rights activists, criminals and others looking to evade surveillance.
The hidden services that users may have tried to connect to include underground drug sites such as the shuttered Silk Road, as well as privacy-conscious outfits such as SecureDrop, which is designed to safely connect whistle blowers with media outlets.
Dingledine said the physical locations where the hidden services were housed could have been exposed, although probably not the content on them that was viewed by a visitor.
"Unfortunately, I cannot comment," lead Software Engineering Institute researcher Alexander Volynkin told Reuters.
Institute spokesman Richard Lynch declined to comment, while the FBI had no immediate response to questions about whether it would seek the data.
Defense Department spokeswoman Valerie Henderson said she did not know if officials there would have the right to raw research from the Institute.
"You have to know what organization and which individuals inside the Department of Defense might have set this one up," she said. Even if there is an overarching guideline about access to unpublished research, "the general rule may not apply," she added.