The hackers behind the cyber-attack on crowdfunding website Patreon, a site designed to allow fans to pay artists, have released their trove of stolen data and it contains more than just user passwords.
The 13.7 gigabytes of hacked data includes user information such as e-mail addresses and passwords — the latter of which were encrypted with bcrypt in a move Ars Technica‘s Dan Goodin referred to in a recent report as one of the hack’s “saving graces” due to the vast amount of time and resources they’d take to crack — but it also includes donation records and source code.
While bcrypt offers a certain level of protection, perhaps enough to dismay those who would attempt to crack it, the release of Patreon’s source code might unveil programming mistakes which allow crackers to expose the otherwise relatively secure data — as such was the case with the hacked Ashley Madison data. If such a scenario becomes reality, stolen passwords may be the least of the worries for those exposed, as the recently dumped data includes tax IDs as well as social security numbers.
According to Troy Hunt’s haveibeenpwned, a website which allows visitors confirm whether their accounts were compromised in a data breach, 2.3 million email addresses were found in the recently leaked Patreon data — of which, 12 percent were already in haveibeenpwned’s database.
New breach: 2.3M email addresses from the Patreon breach. 12% were already in @haveibeenpwned http://t.co/U0QyHZxP6k
— Have I been pwned? (@haveibeenpwned) October 2, 2015
On the upside, if one exists, the crowdfunding website for artists indicated in a post that no credit card data was stolen as a result of the breach because the company does not store full card numbers on their servers.
We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.
While the company does not require any specific action from its users as a result of the breach, they are recommending that their users change their passwords as a precautionary measure.
