Messages sent via Cryptocat between 17 October 2011 and 15 June 2013 are compromised, according to security expert Steve Thomas. All versions of the chat software are affected. The discovery was closed with version 2.0.42. Steve Thomas has a massive go at the software developers on his web site.

The software uses Off-the-Record (OTR) messaging to encrypt users' messages, which is designed to provide secure encrypted messages. This technique generates new key pairs for every chat to create what is known as Perfect-Forward-Secrecy (PFS). This prevents cracking if one key is cracked so that previous and subsequent keys will continue to be protected. Cryptocat can be used as a Browser extension for Chrome, Firefox and Safari. Thomas says that the hole makes it possible to decrypt a seemingly secure, encrypted chat recording in a matter of minutes.

The Cryptocat developers have since responded with a post on their development blog, expressly thanking Steve Thomas for his effort. According to the developers, the bug didn't affect private chats because it only occurred in group chats with more than two participants.