Creative crowdfunding platform Patreon has been hacked, the San Francisco company announced to its users early Thursday morning (Oct. 1).
In an email, the San Francisco company said, “there was unauthorized access to a Patreon database containing user information.” It continued, stating its engineering team has blocked the access and “taken immediate measures to prevent future breaches.”
Registered names, email addresses, posts and some shipping addresses were all accessed in the hack and dumped online, as well as some billing addresses that were added prior to 2014. Full credit card numbers are not saved in the Patreon servers and were not compromised.
According to the email notice, although they were accessed, all all social security numbers and tax form information “remain safely encrypted, and all passwords securely hashed.” It’s recommended as a precaution that all users update their Patreon passwords.
Patreon founder and half of the musical duo Pomplamoose Jack Conte told Billboard, “We are in close touch with law enforcement to minimize risk to our users and we have engaged a third party security firm to inform our response. The operations team at Patreon is working hand in hand with Twitter’s trust and safety team. They have actively suspended accounts that link to the breached data.”
Conte clarified Patreon’s engineering encrypts all tax information with a 2048-bit RSA key — the key to which lives on a separate server and was not compromised. User passwords are hashed using bcrypt with 8 or 12 passes.
“Patreon engineering has done a thorough analysis of the vulnerability that led to the breach,” Conte said. “We are being meticulous and rigorous in the investigation and based on conversations with dozens of advisors and security experts, I’m highly confident that we’re doing everything in our power to minimize the impact on our users.”
Launched in summer 2013, Patreon the company raised $2.1 million of seed funding later that year from Atlas, Charles River and other investors, then got another $15 million from SV Angel (Dropbox, Airbnb), Index Ventures (SoundCloud, Etsy) and Facebook vp of messaging products, David Marcus and other investors in mid-2014. In March 2015, crowdfunding fanatic Amanda Palmer notably joined the service, following campaigns on competitor service Kickstarter that raised more than $1 million.