Millions of Emails, Private Messages Leaked in Hack of Donation Site Patreon

By Jonathan Zhou
Jonathan Zhou
Jonathan Zhou
Jonathan Zhou is a tech reporter who has written about drones, artificial intelligence, and space exploration.
October 2, 2015 Updated: October 4, 2015

Earlier this week, the donation website Patreon was hacked, resulting in 16 GB of data, including millions of user emails, private messages, and shipping addresses, being dumped on the internet.

Patreon notified its users of the hack on Sept. 30, and the veracity of the data disseminated on the internet was confirmed by security researcher Troy Hunt, who found his own email in the stolen database. Hunt said that the stolen cache contains 2.3 million emails.

According to Patreon, no credit card information was compromised, and stolen passwords, tax information, and social security numbers were encrypted on bcrypt, which makes the data difficult to unlock with brute-force methods.

 “There was no unauthorized access of our production servers. The development server included a snapshot of our production database, which included encrypted data,” CEO Jack Conte said in a statement.

The company is now working to suppress the distribution of the data. In a statement to Vice, Conte said that Patreon was working with Twitter to suspend accounts that were posting links to the stolen information.

The hack occurred on Sept. 28, when a debug version of the website was available to the public. Patreon had been running the Werkzeug Debugger, according to Detectify Labs, a program that allows for the execution of arbitrary codes. The guide to the program warns that it “must never be used on production machines” as a result.

“We reported this issue to Patreon on the 23rd of September when we noticed that the vulnerable host on Shodan was actually responding again,” Detectify Labs wrote. “Patreon got back to us and told us that they knew about it and was currently working to mitigate it.”

Patreon isn’t the first party to make this error. “While the provided link warns those to not enable the debugger on anything production, it is often ignored or forgotten about and ends up being enabled in the first place,” security research Colin Keigher wrote in December.

Patreon was founded as a crowd-funding site for artists in 2013. The idea was motivated by Conte’s own struggles as an independent musician whose primary performance avenue was YouTube. The company raised $15 million in Series A funding in June 2014.

Jonathan Zhou is a tech reporter who has written about drones, artificial intelligence, and space exploration.