Crowdfunding site Patreon has become the latest victim of a data breach, though this one’s slightly more interesting than your garden variety hack.
Patreon acknowledged the breach on September 30, saying that hackers gained access to names, email addresses, posts, and some shipping addresses, along with some billing addresses that added prior to 2014. The site also reported unauthorized access to encrypted passwords, social security numbers, and tax form information. Credit card data wasn’t compromised in the breach.
The theft of encrypted passwords and social security numbers isn’t unheard of in data breaches, and while it’s possible to crack the encryption with enough effort, Patreon at least used a powerful hashing function called bcrypt. This should make any cracking attempts much slower and more difficult due to the computational power required.
The problem, Ars Technica reports, is that the hacked data appears to include source code. As we saw with the hack of infidelity website Ashley Madison—which also used bcrypt—hackers could use this code to dig up programming errors that might aid the password cracking process. If Patreon’s encryption key is discovered, it could also reveal users’ social security numbers and Tax IDs.
The hack is also unique for its inclusion of donation records, along with correspondence between supporters and their beneficiaries. “The dollar figure for the Patreon campaigns isn’t the issue,” security researcher Troy Hunt wrote on Twitter, “it’s supporters identities, messages, etc. Everything private now public.”
Why this matters: Internet firms often point to the strength of their encryption when passwords and other sensitive details are stolen. But this hack just shows that if a breach is extensive enough, it can still cause real damage despite powerful cryptography.
Sign up for CIO Asia eNewsletters.