Crowdfunding platform Patreon suffered a major security breach yesterday with many user details - including passwords, names and addresses – being among the data that was stolen. To make matters even worse for the site, it’s been discovered that nearly 15GBs worth of the pilfered information has been leaked online.
No one has come forward to claim responsibility for the hack and the subsequent data dump, which revealed 2.3 million email addresses, passwords, donation records, and private messages. The leaked data, which was found on file-sharing sites, was inspected by security researcher Troy Hunt who told Ars Technica that it almost certainly came from Patreon servers and was “more extensive and potentially damaging to users than he previously assumed.”
"The fact that source code exists ... is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise," he told Ars. Referring to the inclusion of a 13.7-gigabyte database, he added: "At the very least, it means mapping individuals with the Patreon campaigns they supported. There's more data. I'll look closer once the restore is complete."
Uh oh, looks like the Patreon dump includes messages, some with very personal info.— Troy Hunt (@troyhunt) October 2, 2015
Patreon - which allows people to donate to online talents or charities on a monthly basis rather than with a one-off payment – said that users’ passwords were safe as they were cryptographically protected behind a 2048-bit RSA encryption key. It seems, however, that with access to the source code, the hackers have been able to significantly increase the speed at which the passwords were decrypted – much like the hackers behind last month’s Ashley Madison leak.
The breach was said to have taken place on September 28th, with the leaked data showing contents that had been generated as recently as September 24th. Patreon recommends any users to change their passwords for site and, for extra security, on any other websites that reuse the same password. The company added that it is still investigating the hack and will be hiring a security firm to conduct an internal audit.