Patreon

Date: 2015-09-01

Compromised user accoutns: 2.3M

Patreon, a crowdfunding site, had their development server compromised, leading to the loss of production data and source code.

Email addresses, private messages and bcrypt-encrypted passwords of 2.3 million users were lost with 15 gigabytes of data. The data was copied off from Amazon AWS development server. The development server contained full production dataset without any scrubbing.

The development server was running a debug interface connected to the Patreon Python web application (Werkzeuk on Flash). There was no authentication for the debug interface access. Anyone could connect to it and have full access to the system.

Patreon claims social security numbers and tax information were encrypted in the database, but does not clarify if the attacker gained the keys to decrypt this information.

Related evaluation points:

• Limited sensitive data access
• Data scrubbing
• Non-public administration site
• Internal services not exposed

Links:

• Important Security Notice from Patreon
• Gigabytes of user data from hack of Patreon donations site dumped online (Ars Technica)
• How Patreon got hacked – Publicly exposed Werkzeug Debugger (Detectify Labs)