Since its inception last year, the crowdfunding site known as Patreon has been a popular spot for YouTubers seeking to underwrite their ongoing video productions. Think of it as a kind of PBS campaign meets Kickstarter, where backers can fund single episodes or give an ongoing donation from project to project. And it was working really well, until some hacker spoiled the party.
Here's what happened. A hacker broke into Patreon's servers and stole over 15GB of data, which included information on over 2 million email addresses of backers, donation records, private messages, and passwords. The hacker even published the website's source code. What's interesting is, that the hack seems to be very similar in footprint to the hack that occurred on the adult cheating website Ashley Madison, leaving many to conclude that Patreon got hit by same group.
"The fact that source code exists ... is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise. At the very least, it means mapping individuals with the Patreon campaigns they supported. There's more data. I'll look closer once the restore is complete." - Troy Hunt, Security Researcher, interview with Ars Technica
The data also reveals private messages of Patreon campaigners and backers, but also information on how much each campaign is making per project. "Obviously all the campaigns, supporters and pledges are there too," says security researcher Troy Hunt via Twitter. "You can determine how much those using Patreon are making."
Patreon claims that passwords weren't taken in the hack thanks to their use of bCrypt, an open source hashing function that makes it nearly impossible to reveal that data, however, with the source code available now to the hackers, they'll be able to pour over the source code to find vulnerabilities in order to break individual accounts, which is what happened in Ashley Madison's hack last month.
If they can grab that, it's possible they'll be able to unpack the encryption keys and harvest even more personal information such as social security numbers or taxpayer IDs.
Is it a big deal that hackers know the identities of backers and what they are backing? Well, it could be if there's an embarrassing campaign that they'd rather not be associated with. Hunt also warns that the hack means that privacy for Patreon's 2.5 million members is extremely vulnerable. "The dollar figure for the Patreon campaigns isn't the issue, it's supporters identities, messages, etc. Everything private now public."
The worse part is, that according to a report by Ars Technica, Patreon was warned a week before the hack by a security firm that they were vulnerable to attack thanks to a programming error in the source code, one which, clearly, hackers were able to take advantage of. And the worse part was, that the exploit was easily found with a simple internet search of debugging functions that are known to have those vulnerabilties, which Patreon was using. These functions allowed for remote access and execution of instructions remotely.
One thing is certain, those who rely on Patreon for their creative livelihoods are going to fave an uphill battle from here on out, getting people to pledge via Patreon's web portal. Once the damage is done, it could to take a long time for backers to trust it again.