Hackers have published almost 15 gigabytes’ worth of password data, donation records, and source code taken during the recent hack of the Patreon funding website.
PATREON: SOME USER NAMES, E-MAIL AND MAILING ADDRESSES STOLEN
At least passwords were encrypted with 2048-bit RSA, hashed via bcrypt, and salted.
The data has been circulating in various online locations and was reposted here by someone who said it wasn’t immediately possible to confirm the authenticity of the data. Security researcher Troy Hunt has since downloaded the archive file, inspected its contents, and concluded that they almost certainly came from Patreon servers. He said the amount and type of data posted by the hackers suggest the breach was more extensive and potentially damaging to users than he previously assumed.
“The fact that source code exists … is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise,” he told Ars. Referring to the inclusion of a 13.7-gigabyte database, he added: “At the very least, it means mapping individuals with the Patreon campaigns they supported. There’s more data. I’ll look closer once the restore is complete.”
He said unpacking such a large archive file, sorting through its contents, and loading various MySQL database files takes time. Hunt, who maintains the widely visited have i been pwned? website, said he expected to index affected e-mail addresses on the service as soon as possible. Update 1: Hunt has now been able to sift through the data and has found 2.3 million unique e-mail addresses, including his own.
ONCE SEEN AS BULLETPROOF, 11 MILLION+ ASHLEY MADISON PASSWORDS ALREADY CRACKED
Programming errors make 15.26 million accounts orders of magnitude faster to crack.
According to Patreon officials, user passwords were cryptographically protected using bcrypt, a hashing function that’s extremely slow and computationally demanding to use. Its use was one of the saving graces of the breach, since it meant crackers would have to devote vast amounts of time and resources to crack the hashes. With the inclusion of source code, however, it’s possible crackers may find programming mistakes that could significantly accelerate the process. That’s precisely what crackers did last month to bcrypt-hashed password data taken during the hack of the cheaters dating website Ashley Madison. Access to the source code may also expose the encryption key said to protect social security numbers and tax IDs.
Hunt isn’t the only one to view the contents. Several people have posted screenshots of the purported Patreon data on social media sites, including the image included at the top of this post. If authentic, some of the contents were generated on Patreon servers as recently as September 24. As this Ars post was being prepared, a variety of Patreon subscribers, including this one, took to Twitter to say they found their e-mail addresses in the dump.
Patreon subscribers should make sure they have changed their compromised password, both on Patreon and on any other websites it may have been used. Patreon users should also be prepared for the very real possibility that anything they did on the donations site is now a permanent part of the Internet record.
Update 2: Hunt said the release appears to include the entire database taken in the hack, including a fair number of private messages sent and received by users. “Obviously all the campaigns, supporters and pledges are there too,” he wrote in one tweet. “You can determine how much those using Patreon are making.” In a separate tweet, he wrote: “The dollar figure for the Patreon campaigns isn’t the issue, it’s supporters identities, messages, etc. Everything private now public.”