Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime Privacy Security

Patreon Hacked, Personal Data Accessed 79

AmiMoJo writes: In a blog post Jake Conte, CEO and co-founder of Patreon, writes: "There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key."
This discussion has been archived. No new comments can be posted.

Patreon Hacked, Personal Data Accessed

Comments Filter:
  • by Anonymous Coward

    Erm,

    Passwords should never be encrypted. Anyone who signed up should assume their passwords are fucked, especially since the private key for decrypting them (assuming this guy even knows what he's talking about) is almost certainly in the app.

    • So ... passwords should be stored in plain text and unencrypted?

      • by lakeland ( 218447 ) <lakeland@acm.org> on Thursday October 01, 2015 @05:59PM (#50640301) Homepage

        No, they should only store the hash.

      • by Anonymous Coward

        No, they should be hashed and salted and stir fried.

      • by John Bokma ( 834313 ) on Thursday October 01, 2015 @06:02PM (#50640325) Homepage
        No. A password should be used as the parameter for a one-way function ("hash function") and the result should be stored. If the user logs in, the password given should be used as a parameter for the same one-way function. If the result is the same as the value stored, the password is the same. Good properties of such a hash function is that it's slow, that the probability of result values is uniformly distributed, and that similar input values don't result in similar output values.

        Because pre-calculated tables exist it's good practice to add a "salt" to the password. Otherwise one just calculates the hash value of '1234567' and looks in the results for this hash value.

        • by tepples ( 727027 )

          True, passwords used by users to authenticate to site A need to be hashed with salt and key stretching when stored on site A. But the only way to let site A perform actions on site B on the user's behalf is to store a "password" for site B on site A's servers. For example, an RSS reader application may need to log into other sites to retrieve non-public feeds to which the user has subscribed.

        • by Anonymous Coward

          Good properties of such a hash function is that it's slow, that the probability of result values is uniformly distributed, and that similar input values don't result in similar output values.

          I would add that it should be a cryptographic hash [wikipedia.org] since there are hash functions used for table lookups typically matches your other requirements better (Except for them being fast.) without taking reversability into consideration.

    • Erm,

      Passwords should never be encrypted. .

      Can you splain that LI5? Is it because you could sign up some dummy accounts, using various well-chosen passwords, then hack the whole thing and figure out the encryption from those?

      Some of us, maybe just one of us, are somewhat encryption illiterate. I'm, uh, asking for a friend who's dumb like that.

      • by idji ( 984038 )
        Passwords should NEVER EVER be stored on a server for two reasons - they can be viewed by the admin who knows the key, and they can be viewed by the thief who steals them. Password hashes [wikipedia.org] should be stored with salts [wikipedia.org]. These can NEVER be reconstructed by anyone.
        • by idji ( 984038 ) on Thursday October 01, 2015 @06:46PM (#50640641)
          From the article We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere..
          No passwords were compromised.
          • Well... you can still brute force a lot of the passwords if you have the hash and the salt.

            Now if they encrypted the hashes then that might make for harder work.

            • hashing scheme called ‘bcrypt’ and randomly salt each individual password

              Well... you can still brute force a lot of the passwords if you have the hash and the salt.

              Could you please tell me how long would it take to get even one correct password of an account using brute-force? Then how long would you need to get all accounts' password with brute-force? You may need to look for how they 'randomly select' salt for each account in order to reduce the time, I guess.

              • That was more a comment on typical human nature which results in people choosing dictionary based passwords.

                Also, it depends on the cost factor as well, obviously. I don't recall seeing an indication of what it was.

                Either way, it would be fairly reasonable to try, say, the top 30000 common dictionary passwords (and other common passwords) on each hash in the table. According to http://openwall.info/wiki/john... [openwall.info], you can do about 1000 bcrypt hashes per second on a single core of an i7 3k series. So you ca

          • by emj ( 15659 ) on Thursday October 01, 2015 @08:28PM (#50641235) Journal

            Don't be so sure, bcrypt was used at Ashley Madison but they still stored transformed and md5 hashed passwords in other places. Leading to this:

            http://cynosureprime.blogspot.... [blogspot.se]

        • Virtual ModUp: Informative. Thanks.
      • by Lobachevsky ( 465666 ) on Thursday October 01, 2015 @08:11PM (#50641133)

        People assume the choices are "unencrypted" or "encrypted" and conclude encrypted is better. But then they're missing hashing. Encrypted data can be undone, it can be decrypted. Any encrypted data is just waiting for the day someone can decrypt it, and if the webserver is checking passwords this way, it means it's decrypting it constantly and anyone can hijack that ability.

        Hashing cannot be undone (mathematically, it's called a one-way function). There's absolutely no way to email you your original password. That's why so many websites have a "reset password" instead, because they literally don't know your password. The webserver checks your password by hashing it and comparing that output with the old recorded value.

        You'll sometimes also hear the term "salting", which basically means the webserver doesn't hash your password directly, but first appends or prepends some gibberish to your password that's unique to that webserver and then hashes it. The advantage of salting is that two webservers won't show on file the exact same hash for the same password. That means if I spend 20 years and solve the hashes for all possible passwords, I haven't unlocked every webserver on earth, I've just unlocked 1 webserver whose salt I copied, and to crack another webserver, I'd have to redo the painfully slow exercise of brute forcing.

    • As far as I can see, so correct me if I am wrong, there is no need to store the private key (needed for decrypting) if the password is stored encrypted and the password entered is also encrypted and compared to the stored result, there is no need for decryption.
    • by Anonymous Coward

      And if you bothered to read their actually statement about the hack (https://www.patreon.com/posts/3457485) you'd see it says:
      'We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.'

    • While we're covering the potential errors of Patreon, how about making the logout link/button easier to find? I'm tired of closing the entire browser to clear my connection to them.

      • by sims 2 ( 994794 )

        I still think all websites should support a universal logout.

        Like so;

        www.google.com/logout
        www.slashdot.com/logout
        www.ihatefacebook.com/logout
        and so on.

        Most every website supports robots.txt how hard could a URL based standardised logout be?

    • by Eythian ( 552130 )

      They used bcrypt, according to the article.

      "Encrypted" is often said when "hashed" is what is meant.

      You don't have private keys for hashing passwords.

      It's safest to assume that your password is compromised and act accordingly, but I doubt that it'll actually happen. bcrypt is a pain to brute-force.

      • by gweihir ( 88907 )

        The public does not know enough to understand what "hashed" means and even less so what bcrypt is. Hence this nonsensical talk about "encrypted" passwords. Nobody does that on server-side, not event those that have absolutely no clue.

        Bcrypt means that if you have a reasonable password and they used a reasonable cost-factor, then it is secure. It also means that a good password remains secure regardless of cost-factor, but a good password is secure after a single, non-salted conventional crypto-hash.

    • by gweihir ( 88907 )

      According to the actual blog-posting, the passwords are protected by bcrypt(). While they also say passwords are protected by an 2048 bit RSA-key, that is likely a mistake and refers only to credit card numbers, social security numbers and tax form information.

      Still, you do never use production data on test-systems that are not specially isolated, i.e. far more so than the production systems. This will likely be one of the first thing the security firm that they have hired will tell them. Ideally, you would

      • Or you simply run it in production, wait for problems, and rollback :.... ;)
        • by gweihir ( 88907 )

          That can get excessively expensive. But no doubt some semi-competent wannabe "developers" are doing it this way.

    • Let me explain a hash. You have a one way function f(password) = hash. This function cannot be reversed. The server stored the hash and then the client sends a password and the server uses the function before comparing it to the stored hash. Passwords are NEVER stored. It's a little more complicated than that, but that's the basics.

  • Patreon still hacked (Score:2, Informative)

    by Khyber ( 864651 )

    People with artwork happening through Patreon are almost certainly having it ripped and distributed.

    I know of hundreds of Patreon people having their stuff ripped and distributed right now.

    • How does that relate to being 'hacked' any more than the latest blockbuster movie released on blu-ray getting ripped and distributed?

      For a good chunk of Patreon content, you don't even have to bypass much of anything (unlike blu-rays' copy protection) as they're just regular youtube-hosted videos.

      There's a good discussion to be had there about content, ip rights, piracy, the pros/cons thereof and the pros/cons of using patreon and similar system in the first place, and whether or not it's terrible when it's

      • To self: GP meant "ripped by people who did not subscribe to and pay for that content", obviously. Where's your coffee?

        ( This realization came right after hitting submit, but now I'm stuck behind the "It's been 10 hours since you last successfully posted a comment." barrier :) )

      • by DarkOx ( 621550 )

        I support a couple artists on Patreon because I like the stuff they do. I enjoy viewing it and I think it is interesting enough to patronize. Both of them post their stuff to their regular free youtube channels the same day. Its essentially the internet equivalent of being busker. They going to perform their art and if you want to help them out by throwing a few bucks in their virtual violin case they appreciate it.

        There is no problem there. I don't think artists are under any illusions about how the sy

    • by lucm ( 889690 )

      I know of hundreds of Patreon people having their stuff ripped and distributed right now.

      I can picture you looking at your bittorrent stream, laughing maniacally as you posted this comment

      • by Khyber ( 864651 )

        It's not even a bittorrent stream. It's a freaking website that's posting the stuff. And no need for me to download any of it when I make my own! I just know it's there through my channels.

    • You are assuming there is stuff on Patreon that is worthy of being ripped and distributed right now.
  • by Anonymous Coward

    I've never heard of this outfit...What the fuck is it that they do? Doesn't seem that hard to give a description of the business.

  • by DoofusOfDeath ( 636671 ) on Thursday October 01, 2015 @06:09PM (#50640379)

    If they let someone into their servers by accident, shouldn't we / they also be curious if the private key has been stolen, even if not stored on those servers?

    • by AmiMoJo ( 196126 )

      The passwords are actually the least interesting part of the leak. There are unencrypted private messages and a user database that allows you to see who was supporting whom.

      Expect some interesting articles about people like Thunderf00t and Sargon of Akkad in the next few days. Their private messages are likely a goldmine of damning information and may help the campaign to get them de-funded.

  • by Anonymous Coward

    Their about page says absolutely nothing about them, what they do or anything. How do they have anyone using what ever service they may be providing? Does anyone do any fucking research into the "businesses" they decide to do business with?

    If a company can't put more than 2 fucking sentences about them on their about page, do they really even know who they are?

    • by Anonymous Coward

      Their about page says absolutely nothing about them, what they do or anything. How do they have anyone using what ever service they may be providing? Does anyone do any fucking research into the "businesses" they decide to do business with?

      If a company can't put more than 2 fucking sentences about them on their about page, do they really even know who they are?

      Paetron is a service whereby artists, musicians, etc. can seek sponsors to fund their craft. In years of old musicians and artists often had a wealthy patron; this simply makes it possible for the masses to fund their artist or musician of choice.

      • Is it like begging in the streets? which musicians still do.

      • by tlhIngan ( 30335 )

        Paetron is a service whereby artists, musicians, etc. can seek sponsors to fund their craft. In years of old musicians and artists often had a wealthy patron; this simply makes it possible for the masses to fund their artist or musician of choice.

        And this hack may not seem to reveal any useful information - after all the payment information and passwords are either hashed, or not stored.

        But there's a lot of "social networking" type information - you can find out what a subscriber sponsors, and even find out

        • by RedK ( 112790 )

          now you get to find out how much they REALLY make in a month.

          Now ? This information was always public on Patreon :

          https://www.patreon.com/user?u... [patreon.com]

          You can publicly see the number of patrons and the monthly revenue they generate. If they have their patreon set to per-creation instead of per-month, you still get the stats per-creation, as in, per-video for instance:

          https://www.patreon.com/sargon... [patreon.com]

          So this hack doesn't even reveal that. At best, it can reveal who is a patron of who, which is not dessimated to the public.

    • by Anonymous Coward
      It's like kickstarter, but there's no set goal and it pays monthly. There are many artists and content creators using it, and there are also many people who don't actually produce anything (or products of little effort), giving it the nickname 'hipster welfare.'
  • by Anonymous Coward

    Companies are rarely "hacked" in the traditional sense. Nine times out of ten it is an inside job or a disgruntled employee that leaks crucial details to facilitate a breach. In any case, the evidence of either is indistinguishable.

"For the love of phlegm...a stupid wall of death rays. How tacky can ya get?" - Post Brothers comics

Working...