Sensitive User Data From Hacked Patreon Sponsorship Site Exposed Online
Patreon is a website where "patrons" are able to support their favorite content creators with a monthly subscription. Based on what was leaked in this dump, there were at least 2.3 million accounts, and if one of them happens to be yours, it's imperative that you take immediate action. The first step is to log into your Patreon account and update your password, and if your compromised password was shared with any other service, you should likewise change those. If you have the habit of using the same password everywhere, we'd highly recommend looking into a free password management solution like LastPass or KeePass.
One of the most concerning things about this breach is just how extensive it is. Database leaks are one thing, but the inclusion of source code is another thing entirely. Knowing that even private messages are part of this database leak can't make anyone who's made good use of the service feel too comfortable.
If there's a saving grace here, it's that Patreon made use of strong bcrypt encryption, meaning that exploiters generally need to work very hard if they want to decrypt it. However, because the source code is also available, it could mean that the process of decryption could be expedited - something we saw with the Ashley Madison leak.
The dollar figure for the Patreon campaigns isn't the issue, it's supporters identities, messages, etc. Everything private now public.— Troy Hunt (@troyhunt) October 2, 2015
Because of the sheer amount of data that's part of this leak, it's clear that whoever breached Patreon gained unprecedented access, highlighting yet again that many Web services are simply not battling hard enough against attackers. Web security isn't easy, but leaks like this should never happen.