Breach, Compliance Management, Data Security, Privacy, Vulnerability Management

Patreon’s hack exposes data on 2.3 million users

Cybersecurity firm Detectify said it tried to warn crowdfunding platform Patreon that it was at risk of attack about five days before a hack exposed the personal information of 2,330,382 anonymous donors.

Troy Hunt, creator of haveibeenpwned, revealed on Twitter last week that the breach laid bare the email addresses of Patreon donors. It also exposed billing addresses, site comments, and personal messages between Patreon's donors and creators.

And in a blog post on the Patreon web site, Jack Conte, Patreon's CEO, said a debug version of the website was visible to the public. He noted that no credit card numbers were compromised. All of the company's non-production servers have since been place behind a firewall. Conte told SCMagazine.com in an email correspondence that the company is cooperating with law enforcement and has engaged a third-party security firm to help guide its response to the breach.

But Detectify security advisor Frans Rosén wrote in a blog post that Patreon likely was hacked because it was running the Werkzeug utility library, a Web application tool, in debut mode on a public-facing subdomain.

That, Rosén told SCMagazine.com, created a vulnerability allowing anyone to insert code onto the company's server, something Dectectify warned Patreon about on Sept. 23, five days before the hack.

Prior to Patreon's hack, the Werkzeug application was clear about the risks of using the debugger in production environments. The Werkzeug application contained a notice in large bold letters on the Werkzeug utility library, warning against running the debugger in production environments. The Werkzeug utility library has since created a patch to prevent this vulnerability.

In the Detectify blog post, Rosén warned of "thousands of publicly available instances of Werkzeug Debugger" and suggested that "every one of them should take proper mitigation actions as if they have already been exploited."

At least one individual has published the data leaked from Patreon. The anonymous privacy activist "TheCthulhu" wrote in a blog post that “there is a public interest whenever such data is leaked, both from journalists in established outlets and independent forms of media.” Publishing the information, he contended, fosters a conversation and "allows the public to vet what procedures are in place at companies to protect data.”

TheCthulhu claimed his efforts enabled “journalists and others to focus on the work of analysing the data and leaving the management of that source to me” rather than risk using other sources of leaked data, many of which are unknown and which may contain malware.

The data hack could have been far worse, TheCthulhu said, if Patreon had not made use of bcrypt, a hashing algorithm to encrypt user passwords, which the activist called "an example of a very good security measure that other organisations and businesses should take note of, especially the many who still store passwords in plain text." Bcrypt ensured that user passwords remained secure despite the hack.

Hunt told SCMagazine.com that Patreon's hack should serve as a warning for companies that take production data and provide the data to developers in a non-production environment. "I think the lesson for everyone else," he said, "is to be conscious of the environment of the data.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.