Go-to site for people to support their favorite artists and Internet personalities Patreon, Inc. announced late last night that the website’s database had been compromised. According to a security advisory released at the time, the information accessed included “registered names, email addresses, posts, and some shipping addresses,” additionally some billing addresses added prior to 2014 were accessed.

The company put special emphasis in that no credit card information had been compromised as full credit card numbers are not stored on the servers and no credit card numbers were accessed.

“Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.  No specific action is required of our users,” Jack Conte, CEO/Co-founder, Patreon wrote in the announcement. He also added that, as a security precaution, users are encouraged to reset their passwords as it standard for any time a website has a password database compromise.

Patreon is a widely used website that connects fans and artists. Through the website fans can choose to pay a small (or large) amount for interesting projects either per product produced by the artist (say, per song for musicians or per video for YouTube stars), or according to a monthly schedule from $1 to hundreds of dollars. Due to the popularity of the website it acts as a companion to Kickstarter for keeping artsy projects afloat, and artists can use it to connect to fans by giving those who pay special access, previews, or products as a “thank you” for support.

What happened at Patreon?

The compromise was discovered to have happened on a debug Patreon server available to the public on September 28th. Once the unauthorized access was discovered that server was shut down and all non-production servers were moved behind the firewall.

The production servers of Patreon did not suffer any compromise–however, the debug server did include a snapshot of production, which had encrypted data. No private keys that would allow login to the production servers existed on the debug server. Engineering teams verified that no unauthorized access to production occurred by checking access logs.

As a precaution Patron has reset all of its private keys and API keys that provide access to third-party services used by the company.

To protect users, Patreon uses a hashing scheme called ‘bcrypt’ and uses random salt for each individual password. Bcrypt is a strong password hashing library that uses encryption to protect passwords in the event they are “seen” by an attacker, although it was released in 1999, it remains extremely resilient to brute force attacks. Most importantly, this means that, although compromised, the attackers who hit Patreon will have a hard time accessing that information.

The aftermath at Patreon

According to the security advisory, Patreon’s engineering team immediately took action to make access to the affected server impossible and is currently conducting a rigorous investigation into how the compromise happened.

The company has also engaged “a 3rd party security firm to do a comprehensive internal security audit.”

Over the years, hackers have continued to compromise various websites, steal usernames, passwords, and email addresses. Security in the Internet age is often about risk management designed around preventing access at the front line but also mitigating the damage when unauthorized access happens.

In 2011, Valve Corporation’s video game distribution service Steam was hacked, potentially exposing credit card information; in 2013, Twitter, Inc. was hacked, exposing 250,000 usernames and passwords; in 2015 the forums of Epic Games, Inc., developer of first person shooter games, was also hacked exposing the names and dates of birth of users. These three examples are only a small number of the total sites hacked between 2011 and 2015–but the outcome is usually the same: usernames, passwords, emails, and other information fall into the hands of hackers.

Why it may be difficult for attackers to successfully break passwords (if they are encrypted properly) it is always a good idea to reset passwords after an attack. Also, usernames and emails can be sold to spammers or be used for phishing attacks (i.e. specially crafted emails designed to lure targets into revealing information).

Featured image credit: photo via Charis Tsevis