web Patreon has been hacked!

[Nuke87654 1,849]

http://gizmodo.com/hackers-dump-entire-database-of-artist-crowdfunding-web-1734199890

 

If you have a patreon account, I have some terrible news for you folks to know. The entire database of Patreon has been hacked and information has been dumped on the Internet for other users to use for nefarious purposes. According to Horse News, the hack is so bad that you must assume all of your private info you put on that website has been compromised. Take whatever steps are necessary to protect yourself from this horrific failure from Patreon.

 

 

[Lunar Echo 10,334]

I wouldn't call it a Failure of Patron, I'd call it a flaw that happens a lot on the internet. Hackers cannot be kept out, Hackers always find ways, Hackers will always Hack a system. Look at Nasa, they have the most advanced computers on Earth yet someone from Romania can Hack into all their stuff. It doesn't matter how complicated your system is or how well funded it is, it'll always be hacked into by someone.

[Kenshiro 13,492]

Guess İ m lucky then, but i cant say so for them .Thanks for the warning

[Peikko 56]

It's not the entire Patreon DB that got hacked, which they explained in an e-mail on 9/30. According to Patreon (and the article you posted backs this up): 

"We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all social security numbers and tax form information remain safely encrypted, and all passwords securely hashed. No specific action is required of you, but as a precaution we recommend that all users update their passwords on Patreon." 

So it really wasn't a "horrific failure".  I've had both credit cards and debit cards cancelled from gas stations, grocery stores, and retailers having their information compromised. The community college I attended 8 years ago was hacked about 3 years ago, and ALL their information was compromised - cards, students records, home addresses, social security numbers, everything they had on record. That was a horrific failure. Mandy.com was horrific failure. For the most part, I think this slap on the wrist will force patreon into improving their site security. It also continues to prove that no website is truly safe. 

Edit: You should read this message about the hack from patreon, which explains why the security breach happened, why certain data is safe, and what they are doing to ensure this doesn't happen again. 

Edited October 3, 2015 by Peikko

[Nuke87654 1,849]

I wouldn't call it a Failure of Patron, I'd call it a flaw that happens a lot on the internet. Hackers cannot be kept out, Hackers always find ways, Hackers will always Hack a system. Look at Nasa, they have the most advanced computers on Earth yet someone from Romania can Hack into all their stuff. It doesn't matter how complicated your system is or how well funded it is, it'll always be hacked into by someone.

 

I call it as such because we're not talking about a simple hack, we're talking about someone actually taking one's information and than posting it on the internet. Whatever info is posted on Patreon, they took that info and have successfully shown it on the internet. Meaning whatever info is stored there, is pretty much out on the internet for others to see and use.

 

Here's what kind of info was exposed from what people who have explored it have shown was in that 15 GB file:

 

Names

Mailing Addresses

Personal Messages

Email Addresses

Lists of every backer of each creator

 

 

DMCA Takedown Logs and IP Addresses

Funding Records

Tax Forms

and more

Edited October 3, 2015 by Nuke87654

[Peikko 56]

Here's what kind of info was exposed from what people who have explored it have shown was in that 15 GB file:

 

Names

Mailing Addresses

Personal Messages

Email Addresses

Lists of every backer of each creator

 

 

DMCA Takedown Logs and IP Addresses

Funding Records

Tax Forms

and more

 

I don't know where you're getting "tax forms" as being exposed and shared on the download files that are available, but they were not. They were accessed, but not stolen and shared. 

 

Name - who cares? Address - who cares? E-mail address - who cares? For everyone that has ever purchased a physical product from my storenvy shop, they have this information. This information is public on google. Look up my name on google, and you will find my g+ account associated with my e-mail address, along with my home address. Personal messages? What are you afraid of? Were you involved in major illegal activities? No? Then who cares! Anything I would post in a private message on patreon I don't care if people read - this would be discussions about commission prices and upcoming projects. Not a big deal. List of backers? Who cares. Oh no, Joe Blow supports ___, ___, and ____ people! How terrible! I shall blackmail him for his kind deeds in supporting other artists... not. 

[Nuke87654 1,849]

I don't know where you're getting "tax forms" as being exposed and shared on the download files that are available, but they were not. They were accessed, but not stolen and shared. 

 

Name - who cares? Address - who cares? E-mail address - who cares? For everyone that has ever purchased a physical product from my storenvy shop, they have this information. This information is public on google. Look up my name on google, and you will find my g+ account associated with my e-mail address, along with my home address. Personal messages? What are you afraid of? Were you involved in major illegal activities? No? Then who cares! Anything I would post in a private message on patreon I don't care if people read - this would be discussions about commission prices and upcoming projects. Not a big deal. List of backers? Who cares. Oh no, Joe Blow supports ___, ___, and ____ people! How terrible! I shall blackmail him for his kind deeds in supporting other artists... not. 

 

I'm getting them from Horse News, an  affiliate of 4chan. You may have nothing to worry, but there are many many people on Patreon who have plenty of enemies and have performed many questionable activities on the internet, and many more who do not wish to have their private info exposed for the world to see. This leak from Patreon is pretty much a gold mine for anyone who wishes to perform doxxing or other threats to a person.

Edited October 3, 2015 by Nuke87654

[Standard User 2,127]

Name - who cares? Address - who cares? E-mail address - who cares?

 

Hi guys, cyber intelligence and security major here. Let me fume for a little bit. 

 

Not so long ago, the Office of Personnel Management (OPM) had a huge data breach. I'm talking millions of federal employees, and they had a lot of private information stolen. The big problem was that this included undercover agents and individuals with security clearances. I'm not sure if this was ever confirmed, but we're pretty damn sure this hack was a result of China. Guess what? Our entire intelligence community is shot in the foot. We're pulling agents out all over the world because they're totally compromised.

 

Even better? Throw the Ashley Madison hack into the mix. Now our enemies can cross-reference emails/addresses/etc. on Ashley Madison against the OPM data and extort federal employees. Think that isn't happening? Too bad, because it is.

 

So why would it matter if the addresses, emails, etc. of normal people were released? Simple: stalking. There's a ton of Open Source software out there that can locate publicly available tweets to within a few meters. You can track the movement of individuals, find their relatives, and see where all of their Instagram pictures were taken. From this hack, we have emails and addresses. That's more than enough to find out where someone lives, where they work, where they go to school, close affiliates, other social media platforms, etc.

 

tl;dr Any hack where personal information is released is a big deal.

Edited October 3, 2015 by Kolth

[Peikko 56]

So why would it matter if the addresses, emails, etc. of normal people were released? Simple: stalking. There's a ton of Open Source software out there that can locate publicly available tweets to within a few meters. You can track the movement of individuals, find their relatives, and see where all of their Instagram pictures were taken. Any hack where personal information is released is a big deal.

 

 

You can stalk essentially any homeowner, as their name, address, and their purchase price of their home is public information online. Seeing as I'm not a secret agent and not overly concerned with stalking from anyone other than my psycho ex, who knows where I live and has my number, this isn't a big deal. Most people post regular updates of where they are on facebook, making stalking the easiest thing. And as a seller on websites like storenvy, ebay, etc, anyone who has ever purchased has this info. If you're afraid of being tracked via tweets, then don't use twitter. If you're afraid of your info being hacked and messages being stolen, then using this website or any social media website is a bad idea. 

 

My point was that major financial information wasn't leaked, and in the instance of patreon - who I seriously doubt secret agents whose identity is crucial to their safety use - this breach is on one of the lowest tiers of "horrific" as far as security breaches go. I would rank it a 2/10, with something like my community college records being a 10/10 since all my financial information went with it, and the college was forced into offering credit monitoring. If you're conducting major illegal activities online on a site like patreon, you're the biggest idiot on the planet. 

Edited October 3, 2015 by Peikko

[Standard User 2,127]

@@Peikko, if you're judging a hack only by whether or not financial information was released, please don't go into corporate security.  

 

The point of my argument: every hack has repercussions on someone. Stalking, etc. is a very real possibility from this hack. This also reflects rather poorly on Patreon--any time a company or organization is hacked, people lose faith in the company. I was actually considering starting a Patreon at some point, but now I'm just slightly more hesitant unless they can shore up their weak spots.

[Peikko 56]

@@Peikko, if you're judging a hack only by whether or not financial information was released, please don't go into corporate security.  

 

The point of my argument: every hack has repercussions on someone. Stalking, etc. is a very real possibility from this hack. This also reflects rather poorly on Patreon--any time a company or organization is hacked, people lose faith in the company. I was actually considering starting a Patreon at some point, but now I'm just slightly more hesitant unless they can shore up their weak spots.

And if you're claiming that a hack that releases information that is almost already completely public knowledge as being equal to or less bad than one that releases financial information and takes things like your social security information, then you shouldn't be in your major. Financial information theft leads to identity theft, which can result in: thousands of dollars worth of debt in your name that you cannot clear, denial of loans (for cars, mortgages, being able to sign apartment leases), and even employment, and being unable to open a bank account. So yes, I would consider patreons hack a lesser hack than others. It's still unfortunate it happened, but as I mentioned in my first post, they are already taking strides to resolve what happened and prevent it from happening again. 

 

And as another note: if you're unsure about using Patreon because of this, I hope you also avoid shopping at: Target, Home Depot, getting insurance with Premara Blue Cross, Anthem Insurance, going to Chic-Fil-A, The Post Office, Staples, K-Mart, Dairy Queen, etc etc etc. All have at one point been compromised, and I think almost that entire list had the same information (name, mailing address, etc) compromised. 

[Standard User 2,127]

Yeah, I'm in cyber security. I'm wary about using anything anywhere.   I rarely use my debit card, never buy online (except for Steam, where I use Steam gift cards), and take other steps to protect myself. I'm not terribly worried about my information getting out.

 

Regardless, yes, I agree with you that this hack isn't "as bad" as other hacks. But a data breach is still a data breach and personal information is still personal information.