Security expert Steve Thomas, who discovered the hole, wrote on his blog that any users of Cryptocat between 17 October 2011 and 15 June 2013 should assume that their messages were compromised, as well as those of whomever they were talking to.
Cryptocat, for its part, says that the hole was open from versions 2.0 up until (and not including the latest, fixed version) 2.0.42. That period covers seven months, Cryptocat says.
During his 70-minute discussion, Kobeissi owned up to mistakes, including having hired code auditors rather than cryptographers.
first lesson : even the best encrypted services are broken by bad coding
second lesson : even online encrypted services should be combined by TOR or a secure proxy (not in the USA, UK or another Echelon partner) before loggin on
third lesson : protection is not timeless (that is why NSA is keeping all encrypted communications of interest on servers)
fourth lesson : if your information from your organisation is worth much to others than you should protect itself accordingly - even if that is going to cost some money (travel a bit less or hold fewer receptions)