Bcrypt, as you will remember from the Ashley Madison breach, is created to make each password guess slow enough that attackers simply can’t try enough to get anywhere, except perhaps for users who chose really obvious passwords that are right at the top any cracker’s “try these first” list. In a statement to Vice, Conte said that Patreon was working with Twitter to suspend accounts that were posting links to the stolen information. Patreon has enlisted the assistance of a 3rd party security firm to review internal procedures and incorporate new security protocols.
Advertisement
According to reports, that was quite a few list of names, addresses, private posts and so on that was spilled – close to 15 gigabytes.
“I am so sorry to our creators and their patrons for this breach of trust”, Patreon’s CEO and co-founder Jack Conte wrote in a notice posted on the site. We apologize to you for this breach of trust.
Patreon allows people to make regular donations to artists for projects.
“Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key”, the Patreon CEO said. Referring to the inclusion of a 13.7-gigabyte database, he added: “At the very least, it means mapping individuals with the Patreon campaigns they supported”. Although he urged users to immediately change their usernames information, only for precaution.
Even though the passwords were encrypted, they’re far from immune: although brute-forcing the information would take time, it’s possible that programming mistakes will be revealed in the leaked source code, enabling hackers to crack the passwords much faster.
Advertisement
Security researcher Troy Hunt told Ars Technica the fact that the hackers got their hands on source code suggests that the compromise is more than an SQL injection attack. Security in the Internet age is often about risk management designed around preventing access at the front line but also mitigating the damage when unauthorized access happens. “I’m highly confident that we’re doing everything in our power to minimize the impact on our users”, said Conte, as The Verge reported.
