Patreon, a rewards-based crowdfunding platform that focuses on musicians and other content creators has been hacked. CEO and founder Jack Conte posted a notice on the site this past Wednesday that hackers had breached the site, including the database that held user data. Fortunately, no credit card, tax info or social securities numbers were said to have been compromised.
The vulnerability was discovered on the sites development servers. Production was not compromised. Patreon has enlisted the assistance of a 3rd party security firm to review internal procedures and incorporate new security protocols.
Patreon has launched several high-profile rewards campaigns, including Amanda Palmer.
This is not the first time a rewards-based crowdfunding platform has been attacked by malicious individuals. In early 2014 Kickstarter suffered a similar security breach.
The notice by Conte is reproduced below.
Important Security Notice from PatreonPublished Sep 30, 2015
Yesterday I learned that there was unauthorized access to a Patreon database containing user information. Our engineering team has since blocked this access and taken immediate measures to prevent future breaches. I am so sorry to our creators and their patrons for this breach of trust. The Patreon team and I are working especially hard right now to ensure the safety of the community.
There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.
Here are some technical details of the incident:
- The unauthorized access was confirmed to have taken place on September 28th via a debug version of our website that was visible to the public. Once we identified this, we shut down the server and moved all of our non-production servers behind our firewall.
- There was no unauthorized access of our production servers. The development server included a snapshot of our production database, which included encrypted data.
- The development server did not have any private keys that would allow login access to any other server. We verified our authorization logs on our production servers to ensure that there was not any unauthorized access.
- As a precaution, we have rotated our private keys and API keys that would allow access to third-party services that we use.
- We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.
As soon as we discovered this issue, our engineering team immediately prevented further access and is now conducting a rigorous investigation of our security systems. We are also engaging a 3rd party security firm to do a comprehensive internal security audit and will be implementing new tools and practices to ensure industry-leading security for our users and their data.
I take our creators’ and patrons’ privacy very seriously. It is our team’s mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon’s highest priority. Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.
Jack Conte, CEO/Co-founder, Patreon