Crowdfunding site Patreon yesterday announced that a hacker had gained unauthorised access to its user database, as well as email addresses, posts, registered names, and some billing and shipping addresses.
About 15 gigabytes of data including names, addresses and donations have been published online.
In a post on the site, Patreon CEO Jack Conte stressed that his users’ credit card details, passwords and other sensitive information remained secure.
“We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.”
Nevertheless, the announcement also advised users to change their passwords on Patreon “as a precaution.â€Â
While Patreon uses a hashing algorithm called “bcrypt” that’s normally tough to crack, identity thieves could use vulnerabilities in the source code to help them decrypt passwords associated with your email addresses.
Patreon was created by musician Jack Conte and developer Sam Yam in 2013 as a means for fans to support creators with crowdfunded monthly payments. Creators set up personal pages on Patreon, where users can pledge a given sum of money to them on a monthly basis, or every time they create a particular piece of work.
Security researcher Troy Hunt, who’s inspected the contents of the data dump, says it includes a fair amount of private messages sent and received by users.
“Obviously all the campaigns, supporters and pledges are there too,†he tweeted. “You can determine how much those using Patreon are making.â€Â
If you’re a Patreon subscriber, make sure you change your password on that site as well as anywhere else you’ve used it
