Patreon, a crowd funding site dedicated to helping artists and creators support themselves through donations, has become the latest hacking victim in a series of web dumps that seem poised to change how the Internet tackles security.
Creators & patrons, please see this post for details regarding a recent security breach & how we’ve resolved it: http://t.co/wfmmDPP4kK
— Patreon (@Patreon) October 1, 2015Patreon is perhaps best known for being the support structure for YouTube vloggers, who typically don’t get paid enough from simple YouTube clicks alone and must rely on outside patron-ship to work as a YouTuber full-time.
Usernames, email addresses, posts and shipping addresses have all been leaked by the hackers, who called themselves #SuperExtremeShitpostingTeam in a README file placed inside the dump.
To check if you’ve been affected, and if you’ve used Patreon you most likely were, check the website Haveibeenpwned.com.
New breach: 2.3M email addresses from the Patreon breach. 12% were already in @haveibeenpwned http://t.co/U0QyHZxP6k
— Have I been pwned? (@haveibeenpwned) October 2, 2015In a post on their blog, Patreon did say that credit card numbers were not accessed. Passwords, Social Security numbers and tax form information were accessed, but were all encrypted using a 2048-bit RSA key. While that information should be able to be kept hidden, Patreon users are encouraged to change their passwords to be safe.
“I take our creators’ and patrons’ privacy very seriously," Patreon CEO/Co-founder Jack Conte wrote. "It is our team’s mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon’s highest priority. Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.
Hackers were able to access Patreon’s database through a debug version of their website that had been left visible to the public. That development server didn’t have any access to Patreon’s private keys, so access was cut off from there, but the server did have a copy of all the user information. Patreon has since rotated their private and API keys for third-party services, which is important for credit card information.
The Impact Team, for example, while they didn’t get credit card information, they could have and bragged about having access to the third-party service that Ashley Madison used for credit card numbers, comparing it something akin to logging into Gmail.
Thankfully Patreon did encrypt sensitive information using the bcrypt algorithm, which is the heavy floor vault of password hashing, designed specifically in mind to slow down crackers. However, Ashley Madison did much the same but had their bcrypt hashed passwords cracked after a programming error was found.
