Tech

Patreon hacked, anonymous patrons exposed

A massive 15GB data dump of user data is now open for the Internet to see.

Written by Charlie Osborne, Contributing Writer Oct. 2, 2015 at 5:08 a.m. PT

Artist crowdfunding service Patreon has experienced a catastrophic data breach leading to the theft and leak of user data online.

On Thursday, crowdfunding artist patron and support service Patreon informed customers that a data breach had taken place.

In a blog post, Patreon CEO and co-founder Jack Conte said a Patreon database containing user information had been compromised, leading to unauthorized access to data including registered names, email addresses, posts, and some shipping addresses in addition to a number of billing addresses stored prior to 2014.

Conte emphasized that no full credit card numbers were stored on the firm's servers, and no credit card numbers were compromised.

"Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key," the Patreon CEO said.

In an email sent to customers, Patreon apologized for the "breach of trust."

Patreon was compromised on September 28 via a debug version of the Patreon website which was publicly available.

The crowdfunding site's engineering team have blocked the access point at fault -- shutting down the debug server and moving non-production servers behind a firewall -- and are taking steps to help prevent future data breaches.

Featured

A third-party security firm has been hired to investigate and conducting an internal security audit.

"I take our creators' and patrons' privacy very seriously. It is our team's mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon's highest priority," Conte said.

Data stolen from Patreon has been dumped on various bin websites across the web. Microsoft security professional Troy Hunt has been digging through the data which appears legitimate -- with some users confirming to ZDNet their information is within -- but due to the 15GB size of the data dump, a full analysis will take some time.

Once sorting is complete, Hunt plans to include this data within the HaveIBeenPwned service, giving users the chance to check if their data has been leaked online.

A total of 2.3 million unique email addresses have been discovered so far within the data dump.

Unfortunately for Patreon users, this leaked data could be used in identity theft. In addition, there may be political or personal reasons for anonymously contributing to a project, and this exposure could lead to this concealment being blown wide open and private communication brought to light. As noted by Hunt:

Patreon uses the bcrypt hashing scheme to protect user passwords.While each password is salted and should be difficult to crack, as the website's source code is reportedly contained within the data dump, there is a chance the bcrypt-hashed data could be recovered.

Users are encouraged to change their account passwords as quickly as possible.