Late on Wednesday, crowdfunding site Patreon announced that it had been hacked, and that attackers had managed to get away with users' names, email addresses, and shipping addresses (but not credit card numbers). That data appears to have since been dumped online for anyone to download.
Troy Hunt, owner of haveibeenpwned, a site that informs users whether they have been victimised in data breaches, published several tweets after downloading a copy of the apparent Patreon data.
“This looks like a complete [database] dump of Patreon, the whole works is in there,” he wrote, adding that the dump also contained messages, “some with very personal info.” Haveibeenpwned tweeted that 2.3 million email addresses were found in the data.
“Definitely legit—I'm in there too,” Hunt told Motherboard in an email.
This looks like a complete DB dump of Patreon, the whole works is in there.
— Troy Hunt (@troyhunt) October 2, 2015
The dump also appears to contain product source code, judging by a copy of the data obtained by Motherboard, as well as private encryption keys.
Hunt told Ars Technica that "The fact that source code exists ... is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise.” An SQL injection is when hackers enter malicious commands into a site to gain access to its database.
Also included in the dump is a README file that reads as if it could have been written by those responsible for the breach.
“#SuperExtremeShitpostingTeam, bringing you the latest in lulz!” it starts.
“Patreon left their backdoor open, so we rammed into it with full force. Included is a txt of interesting data, their sql database, and a backup of their python port!” The file concludes with an ASCII graphic gravestone, bearing the phrase “R.I.P. Patreon”
Screenshot of a README file in the dump
It is unclear whether this README was indeed written by the hackers, but Hunt confirmed to Motherboard that the file was also present in the copy of the data he analysed.
After the data was uploaded to a file sharing site, links to it were being shared on Twitter. “The operations team at Patreon is working hand-in-hand with Twitter’s trust and safety team. They have actively suspended accounts that link to the breached data,” Jack Conte, Patreon's CEO and co-founder, told Motherboard in an emailed statement.
Conte elaborated on some of the site’s security. “We encrypt all tax form information with a 2048-bit RSA key. The key used to decrypt this information lives on a separate server and was not compromised. All user passwords are hashed using bcrypt with 8 or 12 passes, depending on when the user signed up.”
“We are in close touch with law enforcement to minimize risk to our users and we have engaged a third party security firm to inform our response,” Conte's statement continues.
“Patreon engineering has done a thorough analysis of the vulnerability that led to the breach. We are being meticulous and rigorous in the investigation, and based on conversations with dozens of advisors and security experts, I’m highly confident that we’re doing everything in our power to minimize the impact on our users.”