Patreon hack exposes private user data

Almost 15GB of data from Patreon’s servers has been posted online after a recent hack on the service, Ars Technica reported.

Patreon is a crowdfunding platform that lets people support artists by becoming their patrons, donating either a fixed amount or becoming a monthly subscriber for rewards.

The Patreon data archive contains password data, donation records, and source code. Passwords were secured using the bcrypt cryptographic hash function.

Security researcher Troy Hunt told Ars Technica the fact that the hackers got their hands on source code suggests that the compromise is more than an SQL injection attack.

Hunt provided the following details of the breach:

• Patreon has a table called “dmca_takedowns”.
• There are 2.3M unique emails in the Patreon dump, including Hunt’s.
• Patreon dump includes messages, some with personal info.
• All the campaigns, supporters, and pledges are there.

“The dollar figure for the Patreon campaigns isn’t the issue, it’s supporters identities, messages, etc. Everything private [is] now public,” he said.

Hunt said he thinks hackers got their hands on Patreon’s user data through a developer getting a copy of the production database “just for testing”.

More security news

New Android Stagefright vulnerability uncovered

Critical vulnerability in WinRAR exposed

Akamai XOR DDoS warning

Apple App Store suffers first major attack

ANC-linked businessmen bought super cellphone spying device