The Patreon funding website was the target of a hacker group that published close to 15 gigabytes’ worth of sensitive information, password data, source code and donation records obtained after the attack.
Since the attack, the stolen information has been posted in various online locations. Jack Conte, Patron founder, is currently working alongside Twitter to suspend several accounts that have been linking to the stolen information.
In the meantime, Conte recommends that users change their passwords and ensure that they are not using the same password when logging in to any other online accounts. Security experts have confirmed that aside from login information, the hackers also accessed Patreon user private messages. Luckily, Patreon does not store credit card information.
According to Troy Hunt, the security researcher who concluded that the data that was posted online was indeed obtained from Patreon servers, the amount and type of data obtained during the attack suggest that the hack was extensive and may have been more damaging that initially thought.
Hunt has downloaded the archive file and inspected its contents. Once the restore was complete, he concluded that over 2.3 million email addressed had been compromised. Among these, Hunt also found his own address. In fact, after the data breach, Patreon users were stunned to also find their email addresses among those that had been dumped.
Conte reiterated that Patreon is all about earning the trust of its users so that it can provide a service in a safe and secure way.
“Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future,” he said.
Patreon uses bcrypt to cryptographically protect user passwords. As a result of this function, hackers were forced to devote large amounts of time as well as resources in order to crack the hashes. However, it’s possible to find programming mistakes after the inclusion of source code and if this was the case, the process is significantly accelerated.
Since private information, including dollar figures for Patreon campaigns or how much Patreon users are making, is now out in the public, the company will now focus on preventing similar hacks from occurring in the future.
“Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key”, the Patreon CEO said, noting that the company was doing all it could to minimize the effect of the hack on users.
Photo credits: WikiMedia