The following is a breaking story. Please check back for ongoing updates.
Patreon is one of the hottest platforms for direct-to-fan artists, and a potential game-changer in the crowdfunding music space. But its rising popularity makes it a bigger target for hackers, especially given the large number of recurring transactions.
Late last (Wednesday) night, Patreon revealed that it was hacked. As of this morning, the situation has been stabilized; Patreon founder Jack Conte has issued the following update to users:
Important Security Notice from Patreon
Yesterday I learned that there was unauthorized access to a Patreon database containing user information. Our engineering team has since blocked this access and taken immediate measures to prevent future breaches. I am so sorry to our creators and their patrons for this breach of trust. The Patreon team and I are working especially hard right now to ensure the safety of the community.
There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.
Here are some technical details of the incident:
- The unauthorized access was confirmed to have taken place on September 28th via a debug version of our website that was visible to the public. Once we identified this, we shut down the server and moved all of our non-production servers behind our firewall.
- There was no unauthorized access of our production servers. The development server included a snapshot of our production database, which included encrypted data.
- The development server did not have any private keys that would allow login access to any other server. We verified our authorization logs on our production servers to ensure that there was not any unauthorized access.
- As a precaution, we have rotated our private keys and API keys that would allow access to third-party services that we use.
- We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.
As soon as we discovered this issue, our engineering team immediately prevented further access and is now conducting a rigorous investigation of our security systems. We are also engaging a 3rd party security firm to do a comprehensive internal security audit and will be implementing new tools and practices to ensure industry-leading security for our users and their data.
I take our creators’ and patrons’ privacy very seriously. It is our team’s mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon’s highest priority. Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.
Jack Conte, CEO/Co-founder, Patreon
Q: How do I reset my password?
If you log in using your email address, you can reset your password in the Patreon settings page. Under your personal information, click “Change Password.” If you signed up through Facebook, you do not have a Patreon password and no action is necessary.