Patreon hack sees 13.7GB of personal user data dumped online

2 Oct 2015

The website Patreon is finding itself in the midst of a security crisis as it suffers a major breach which saw 13.7GB of personal data including passwords and donation records being dumped online.

While no one has come forward to take responsibility for the Patreon hack, the website, which has grown to be the lifeblood for many emerging online talent and businesses, is now determining how best to deal with the news that it has suffered such a monumental breach.

Similar to crowdfunding campaign websites, Patreon allows people to donate money to some of their favourite online talent or charities, but on a monthly basis rather than as a one-off payment.

According to the Patreon statement on the incident, the company’s CEO and co-founder Jack Conte has said that it took place on 28 September and allowed the hackers access to registered names, email addresses, posts, and some shipping addresses.

Patreon’s saving grace, the company said, is that the most sensitive data, including social security numbers and tax information, were stored behind a 2048-bit RSA encryption key.

“We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password,” Conte said. “Bcrypt is non-reversible, so passwords cannot be ‘decrypted’. We do not store plain-text passwords anywhere.”

Meanwhile, security researchers have been eager to see what information had indeed been leaked with one researcher, Troy Hunt, telling Ars Technica that a large 13.7GB data dump posted online does indeed appear to be that of Patreon patrons.

Personal messages between users have also been found to have been included in the dump, which is unlikely to please them given the sensitivity of some issues that people might have been donating to.

Hunt, who runs the website haveibeenpwned.com, said that the data obtained in this dump has been posted there for people to see if they were the victims of the breach.

Patreon is now calling on its user base to change their passwords and, given the frequency of using the same password for other services, those should be changed as well.

Password screen image via Shutterstock

Colm Gorey was a senior journalist with Silicon Republic

editorial@siliconrepublic.com