San Francisco – Patreon, a crowdfunding platform that aims to help artists and creators, announced on Wednesday that it has been hacked. Most of the relevant information from the users was compromised, such as usernames, posts, email and shipping addresses.
“I am so sorry to our creators and their patrons for this breach of trust,” Patreon’s CEO and co-founder Jack Conte wrote in a notice posted on the site. “I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.”
Hackers have been revealing the details from almost 2.3 million users that use the services of Patreon and were made available for anyone to download. Luckily the credit card data was not compromised in the breach. However, Conte said that they were working closely with the authorities, so users do not suffer a minimum risk.
“Hackers gained access to names, email addresses, posts, and some shipping addresses, along with some billing addresses that were added prior to 2014. The site also reported unauthorized access to encrypted passwords, social security numbers, and tax form information,” PCWorld stated.
Troy Hunt, the owner of the website “haveibeenpwned,” a platform that aims to help victims to learn from compromises of their accounts, highlighted the severity of the risk of the online attack on today’s internet, after downloading a copy of Patreon’s database.
Hunt wrote in a tweet, “This looks like a complete [database] dump of Patreon, the whole works is in there. The dump also contained messages, some with very personal info.” He said that 2.3 million email addresses were found in the data, Motherboard reported.
However, Conte ensures that all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. Although he urged users to immediately change their usernames information, only for precaution.
“We encrypt all tax form information with a 2048-bit RSA key. The key used to decrypt this information lives on a separate server and was not compromised. All user passwords are hashed using bcrypt with 8 or 12 passes, depending on when the user signed up,” said Patreon’s CEO as Motherboard reported.
The engineers from Patreon, have done a meticulous analysis of the vulnerability that led to the breach, so it will not happen again. They also have been counseling with security experts. “I’m highly confident that we’re doing everything in our power to minimize the impact on our users,” said Conte, as The Verge reported.