A screenshot of Patreon's homepage. (Image: Patreon)
Another day, another data breach.
The crowdfunding website Patreon revealed on late Wednesday night that someone had hacked into the site’s user database. The hacker or hackers gained access to users’ names, email addresses, posts, and shipping addresses, according to Patreon.
“I am so sorry to our creators and their patrons for this breach of trust,” Patreon’s CEO and co-founder Jack Conte wrote in a notice posted on the site. “I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.”
Conte said that no credit card numbers were compromised, and that sensitive information such as passwords, social security numbers and tax form information “remain safely encrypted.” That’s why, he added, users don’t need to take any “specific action,” as passwords “cannot be ‘decrypted.’”Yet, he recommended users to change their password, “as a precaution.”
The Patreon breach doesnSecuriTay October 1, 2015
This might be a good idea, since Patreon was using the same technology used by hookup website Ashley Madison to protect passwords, a hashing scheme called “bcrypt.” When the hackers published Ashley Madison’s users data online, some experts said it would be really hard to decrypt the passwords, but as many as 11 million passwords ended up being decrypted anyway. The weakness in that case, however, was that Ashley Madison stored a more weakly encrypted login token, which hackers were able to crack.
The hackers got access to the database on September 28 through a “debug version” of the site, according to Conte. As soon as they discovered the breach, Patreon shut down the server, and launched an investigation. The company will also hire a third party security firm to do an audit and “will be implementing new tools and practices to ensure industry-leading security for our users and their data.”
Users were notified of the breach via email overnight.
We have reached out to Patreon to get more details on the breach and will update this story if and when they respond.
This story has been updated to clarify that when hackers cracked Ashley Madison's passwords, they attacked a weaker login token, which wasn't encrypted using bcrypt. They did not directly attack bcrypt hashed passwords.