Sensitive User Data From Hacked Patreon Sponsorship Site Exposed Online

Mere days after it was revealed that crowdfunding website Patreon had been breached, the entire collection of stolen digital goods has been posted online. Making this leak even more severe than typical ones is that not only is user account information included, but so too is some site source code (or potentially all of it), as well as private messages. If the encrypted information can be cracked, that could result in the revealing of social security numbers and tax IDs.

Patreon is a website where "patrons" are able to support their favorite content creators with a monthly subscription. Based on what was leaked in this dump, there were at least 2.3 million accounts, and if one of them happens to be yours, it's imperative that you take immediate action. The first step is to log into your Patreon account and update your password, and if your compromised password was shared with any other service, you should likewise change those. If you have the habit of using the same password everywhere, we'd highly recommend looking into a free password management solution like LastPass or KeePass.

Patreon Website

One of the most concerning things about this breach is just how extensive it is. Database leaks are one thing, but the inclusion of source code is another thing entirely. Knowing that even private messages are part of this database leak can't make anyone who's made good use of the service feel too comfortable.

If there's a saving grace here, it's that Patreon made use of strong bcrypt encryption, meaning that exploiters generally need to work very hard if they want to decrypt it. However, because the source code is also available, it could mean that the process of decryption could be expedited - something we saw with the Ashley Madison leak.

Because of the sheer amount of data that's part of this leak, it's clear that whoever breached Patreon gained unprecedented access, highlighting yet again that many Web services are simply not battling hard enough against attackers. Web security isn't easy, but leaks like this should never happen.


Via:  Ars Technica
Show comments blog comments powered by Disqus