The highly successful crowdfunding company, Patreon announced that it has fallen victim to a large scale cyber intrusion. The funding website revealed that hackers had breached their network systems and that sensitive personal information of its users had been accessed by the cyber criminals, potentially endangering the users and their backers to unknown cyber security risks.
The hackers published approximately 15 gigabytes of information which included source code, a disturbing fact that indicates that the breach is a much more broad cyber intrusion rather than the typical SQL injection hack attack.
The data dump was posted on numerous online locations for all to see, including cyber security researcher Troy Hunt, who downloaded the archive file to inspect its content and authenticity. Mr. Hunt came to the conclusion that the data dump had almost certainly come from Patreon network servers.
The information contained in the data dump includes usernames, email addresses, street/shipping addresses, donation records, other personal communications, as well as source code. But, according to Patreon, the good news is that the breach did not include passwords, social security numbers, credit card, debit card or other financial information or numbers. In its notification post of the breach Patreon CEO, Jack Conte said, “We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.”
While these expressions of confidence from Jack Conte are welcomed, it must be greeted with a healthy dose of skepticism in light of the Ashley Madison hack which used the same form of cryptographic protections and proved the encryption could be hacked when given enough time and computational resources.
It goes without saying that if you are a Patreon member/user that you change your password and to do so on other sites if you have used the same password on other sites, and to create a new “strong password. This means creating a password that includes both (random letters not words) upper and lower case letters, numbers and symbols and is at least eight characters in length. Do not respond to emails directing you to reset your password, instead go directly to the site for reset instructions, and do not click on links sent by anyone or entity no matter how official it may appear.
Below is the official notification from Patreon CEO Jack Conte:
Important Security Notice from Patreon Published Sep 30, 2015
Yesterday I learned that there was unauthorized access to a Patreon database containing user information. Our engineering team has since blocked this access and taken immediate measures to prevent future breaches. I am so sorry to our creators and their patrons for this breach of trust. The Patreon team and I are working especially hard right now to ensure the safety of the community.
There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.
Here are some technical details of the incident:
- The unauthorized access was confirmed to have taken place on September 28th via a debug version of our website that was visible to the public. Once we identified this, we shut down the server and moved all of our non-production servers behind our firewall.
- There was no unauthorized access of our production servers. The development server included a snapshot of our production database, which included encrypted data.
- The development server did not have any private keys that would allow login access to any other server. We verified our authorization logs on our production servers to ensure that there was not any unauthorized access.
- As a precaution, we have rotated our private keys and API keys that would allow access to third-party services that we use.
- We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.
As soon as we discovered this issue, our engineering team immediately prevented further access and is now conducting a rigorous investigation of our security systems. We are also engaging a 3rd party security firm to do a comprehensive internal security audit and will be implementing new tools and practices to ensure industry-leading security for our users and their data.
I take our creators’ and patrons’ privacy very seriously. It is our team’s mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon’s highest priority. Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.
Jack Conte, CEO/Co-founder, Patreon
Additional Resources About This Breach: