Jack Conte [pictured], CEO of crowdfunding Web site Patreon, has reported unauthorized access to a Patreon database containing user information. Although he has assured users that the firm’s engineering team has since blocked this access and taken immediate measures to prevent future breaches, the initial damage has been done.
“The unauthorized access was confirmed to have taken place on September 28th via a debug version of our Web site that was visible to the public,” Conte, also cofounder of the company, wrote in a blog post. “Once we identified this, we shut down the server and moved all of our non-production servers behind our firewall.”
What the Hackers Got
Specifically, there was unauthorized access to users’ registered names, e-mail addresses, posts, and some shipping addresses. What’s more, some billing addresses that were added prior to 2014 were also accessed. However, Patreon said it does not store full credit card numbers on its servers and no credit card numbers were compromised.
“Although accessed, all passwords, Social Security numbers and tax form information remain safely encrypted with a 2048-bit RSA key,” Conte said. “No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.”
Conte explained that Patreon protects its users’ passwords with a hashing scheme called “bcrypt” and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be decrypted. “Salting” is a security practice of adding random data (a “salt”) to a password before hashing it and storing the hashed value. Conte said Patreon does not store plaintext passwords anywhere.
“I take our creators’ and patrons’ privacy very seriously. It is our team’s mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon’s highest priority,” Conte said. “Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.”
Incorporating Security
We caught up with Ken Westin, senior security analyst at Tripwire, to get his thoughts on the Patreon breach. He told us it’s a challenge for companies to incorporate security into their DevOps processes. However, it is becoming increasingly important to do so, he said.
“This breach reveals a vulnerability that thousands of other sites are also exposed to due to a debugging configuration and utility running on these systems. Security teams need to secure all infrastructure, including development and testing environments, not just systems in production,” Westin said.
“If security is incorporated at the time systems are architected, it can save a great deal of time down the road, along with reduce the risk of a compromise. But, this requires more resources for security teams that may already be stretched thin,” he added.