Patreon, a website that allows donors to give regularly to sites, artists, projects and other creators, yesterday evening that it’d been hit by a hack attack that accessed some registered names, email addresses and mailing addresses. And according to reports, 15GB of data was then dumped online, exposing information about donors and the projects they’ve funded.
Hackers published almost 15 gigabytes’ worth of password data, donation records, and source code snagged during the attack, reports Ars Technica. Patreon said on Wednesday that someone had managed to access a “debug version” of the website that was accessible to the public, but that all payment information was safe as full credit card numbers aren’t stored on its servers.
“Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key,” Jack Conte, co-founder and CEO of Patreon said, adding that user passwords are cryptographically protected with bcrypt, but that patrons should change their passwords immediately as a precaution.
Even so, it’s possible that hackers could find programming mistakes that would allow them to crack the hashes eventually, though it’d likely take a lot of time and resources. Access to the source code could expose the encryption key that’s said to protect social security numbers and tax IDs, Ars points out.
Security researcher Troy Hunt, who’s inspected the contents of the data dump, says it includes a fair amount of private messages sent and received by users.
“Obviously all the campaigns, supporters and pledges are there too,” he Tweeted. “You can determine how much those using Patreon are making.”
If you’re a Patreon subscriber, make sure you change your password on that site as well as anywhere else you’ve used it. You should also be aware that it’s very likely that your identity, any project you donated to and possibly private messages you exchanged using the site is now available to the Internet at large.
Gigabytes of user data from hack of Patreon donations site dumped online [Ars Technica]
Patreon: Some user names, e-mail and mailing addresses stolen [Ars Technica]
by Mary Beth Quirk via Consumerist