Bcrypt, as you will remember from the Ashley Madison breach, is created to make each password guess slow enough that attackers simply can’t try enough to get anywhere, except perhaps for users who chose really obvious passwords that are right at the top any cracker’s “try these first” list. “The good thing is that since all communication of the commands sent into Werkzeug are done via GET-requests, (Patreon) will most certainly be able to see exactly what commands that was being issued. The dump also contained messages, a few with very personal info”. “The operations team at Patreon is working hand-in-hand with Twitter’s trust and safety team”.
According to the email notice, although they were accessed, all all social security numbers and tax form information “remain safely encrypted, and all passwords securely hashed”.
While the breach was significant, Patreon doesn’t store full credit card numbers and what ever banking information they do store was not compromised.
Patreon acknowledged the breach on September 30, saying that hackers gained access to names, email addresses, posts, and a few shipping addresses, along with a few billing addresses that added prior to 2014. This server included a snapshot of Patreon’s production database, but attackers did not actually access Patreon’s production servers. Still, he recommended that users at least change their Patreon passwords just in case.
One analyst suggests that the data includes more than unique two million email addresses together with “all the campaigns, supporters and pledges”. Nevertheless, private keys and API keys have been changed as a precaution as well. “We are being meticulous and rigorous in the investigation and based on conversations with dozens of advisors and security experts, I’m highly confident that we’re doing everything in our power to minimize the impact on our users”. We are also engaging a 3rd party security firm to do a comprehensive internal security audit and will be implementing new tools and practices to ensure industry-leading security for our users and their data. Vince is a board volunteer on Baphomet, an 8chan community focusing on raids on other sites and hacking.