Dialog, the invitation-only network founded by billionaire investor and PayPal co-founder Peter Thiel, left personal records on roughly 200 of its high-profile members sitting in plain text on a public web page, where anyone could read them using nothing more than the developer tools built into an ordinary browser.
According to Malwarebytes Labs, the exposed roster reads like a who's who of Washington power: a sitting NATO commander, two US senators, the US Treasury Secretary, a current White House intelligence official, a retired general who held a senior US intelligence role, and the heads of national security policy at two leading AI firms.
What was exposed
The data was not minimal. For nearly every member, the files included dates of birth, emergency contacts, cell phone numbers, the political leanings Dialog privately assigns to each person, internal rankings and grading notes, and the digital keys that serve as members' logins. Dialog also scores attendees on their wealth and prominence to decide on admission, seating, and pricing, and those scores were sitting in the public page source too.
How the data leaked
There was no sophisticated intrusion. The site existed to distribute a phone app for an upcoming Dialog gathering. Any visitor could sign up with any email address, and the page asked for no password. After submitting an email, the visitor reached a near-empty holding page that quietly loaded the internal questionnaire files for those roughly 200 people straight into the browser, where they were visible through standard browser developer tools.
The forms were built with Fillout, a popular online form builder, and the records lived in Airtable, a widely used cloud database. Fillout said it found no compromise of its own systems and noted that customers are responsible for configuring their forms, data sources, and workflows. In other words, this was a configuration failure, not a broken lock. Dialog has not said how long the page was live, so the records may have been openly accessible for an unknown stretch before anyone noticed.
A "hack" with no break-in
Dialog's managing director described the incident as a hack "executed by a well-known criminal who is wanted in the United States." Researchers who examined the exposure found no evidence that any break-in was required, just a click on a link. Security misconfiguration now ranks second on the 2025 OWASP Top 10 of application security risks, up from fifth in 2021, and accounts for hundreds of thousands of documented weaknesses. This is the same class of mistake behind other recent exposures, from a 24 billion record database left open on the internet to a vendor slip that spilled passport and license data on 3 million Texans.
What you should do
For organizations, the fix is routine: build systems with only the features you need and lock down every connected data source by default. For individuals, the lesson is older than the internet. If a group collects your date of birth, your emergency contacts, and a private estimate of your net worth, ask where that data lives. Any answer that stops at "we take your security very seriously" deserves a harder second question.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.