Patreon crowdfunding site hacked and data leaked online

The Crowdfunding website Patreon has been hacked and about 15 gigabytes of data including names, addresses and donations have been published online.

The data have been available on different servers online locations, including this source.

The Patreon website collects donations to artists for projects, according to the information provided by the chief executive Jack Conte, credit card details were not stolen. According to official statistics published by Patreon the company website reached nearly 16 million of views per month in June 2015.

“We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.  No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.” he wrote on the Patreon blog.

Conte confirmed that passwords were encrypted, but anyway he urges Patreon users to change their login credentials.

As reported by ArsTechnica, five days before Patreon staff disclosed the data breach, researchers at Swedish security firm Detectify reported the company a serious programming. The researchers speculate that the exploitation of that flaw allowed hackers to steal data.

Patreon developers allowed a Web application tool known as the Werkzeug utility library to run on its production environment, the same application was used also by the real users of the website.

According to the experts the hackers exploited the Werkzeug debugger to execute arbitrary code from within the browser, the flaw was well known since last December when was discovered by a researcher.

“This is basically Remote Code Execution by design,” Detectify researcher Frans Rosén wrote in ablog post published Friday morning. “An RCE is basically game over. You can inject code directly to the application, exposing all data on the server which the application has access to.”

Rosén explained that the ability to run arbitrary code is supposed to be triggered after a developer enters a secret key that’s generated when the debugger first loads. The debugger will get activated every time a Web app throws an exception, as a result, even unauthorized user who visited Patreon could activate the debugging tool forcing an error condition.

“Most certainly they created an interactive shell which connected to them remotely, which would make it possible for them to walk around the server and push all data over to the attackers,” Rosén wrote in an e-mail to Ars. “The good thing is that since all communication of the commands sent into Werkzeug are done via GET-requests, [Patreon officials] will most certainly be able to see exactly what commands that was being issued. However, it’ll probably just reveal a creation of an interactive shell which [the hackers] then used to extract all the data.”

Cyber security expert Troy Hunt confirmed that the data disclosed online appears to be genuine despite “many tens of thousands” appeared to be auto-generated.

Hunt identified 2.3 million unique email addresses in the stolen data, including his own.

Stay Tuned!

Pierluigi Paganini

(Security Affairs – Patreon , data breach)