Patreon thieves drop data, expose users' info all over web
15GB file lifted from crowd-funding outfit hits dump sites
Attackers who compromised crowd-funding outfit Patreon have dumped its user data on various bin sites around the web.
It's perhaps a small irony that one of the dumps has landed on Mega, the Kim Dotcom-founded file-store that calls itself “The Privacy Company” (note: Dotcom is no longer involved with the business and has said that people should avoid it*).
Microsoft security bod Troy Hunt has promised an analysis of the data, but warned it's a big dump that might take some time. His short take on Twitter was that the dumps looked like the real thing.
I've had multiple reports of people finding themselves in the Patreon data, seems legit, just a question of data types and volumes now.— Troy Hunt (@troyhunt) October 2, 2015
Hunt expects to add Patreon members to his HaveIBeenPwned service once he's pored over the massive data dump.
While of a different order to the Ashley Madison data dumps, there are two issues Patreon members could face. Firstly, it's possible there may be personal or employment reasons for contributing anonymously to projects (or political reasons, for that matter); secondly, that any leak of personal data helps identity thieves.
With 15GB of data in the drop, there could be a lot of personal details in the leak.
And unlike Ashley Madison, there's no suggestion that the Patreon lists are salted or polluted by substantial numbers of fake profiles.
Since site source code was apparently included among the compromised data – as Patreon explained, the data leak happened because a debug version of the site ended up outside the firewall – there's a risk that the site's code might help attackers recover the bcrypt-hashed data. ®
*Earlier this year, Dotcom told Slashdotters he'd severed his ties with Mega.nz and it was not to be trusted. ®