Patreon patrons: It's password-reset time

Crowd-funding org let debug site slip outside firewall

Popular Internet patronage and crowd-funding site Patreon has been popped, with user data stolen.

This short notice at the site says, however, that it didn't keep credit card numbers on-site, and believes that the most important user data remains protected – “all passwords, social security numbers and tax form information remain safely encrypted”, the notice states.

In a stark contrast to so many breach notices, Patreon leads with an apology: “I am so sorry to our creators and their patrons for this breach of trust. The Patreon team and I are working especially hard right now to ensure the safety of the community”, co-founder Jack Conte writes in the post.

Conte recommends users reset their passwords.

“The unauthorised access was confirmed to have taken place on September 28th via a debug version of our website that was visible to the public. Once we identified this, we shut down the server and moved all of our non-production servers behind our firewall,” he adds.

While that version of the site included a snapshot of user data (encrypted), Conte says the company's private keys weren't compromised, and both the internal keys and the API keys that allow third-party access to Patreon have been rotated. ®

Biting the hand that feeds IT © 1998–2019