Yet Another Data Hack... 15 GB of Data Leaked Online

Discussion in 'BlackHat Lounge' started by The Scarlet Pimp, Oct 4, 2015.

  1. The Scarlet Pimp

    The Scarlet Pimp Senior Member

    Apr 2, 2008
    Likes Received:
    Chair moistener.
    wanna make cashola? start a blog about 'net security! :batman:


    Gigabytes of user data from hack of Patreon donations site dumped online

    Hackers have published almost 15 gigabytes' worth of password data, donation records, and source code taken during the recent hack of the Patreon funding website.

    The data has been circulating in various online locations and was reposted here by someone who said it wasn't immediately possible to confirm the authenticity of the data. Security researcher Troy Hunt has since downloaded the archive file, inspected its contents, and concluded that they almost certainly came from Patreon servers.

    He said the amount and type of data posted by the hackers suggest the breach was more extensive and potentially damaging to users than he previously assumed.

    "The fact that source code exists ... is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise," he told Ars. Referring to the inclusion of a 13.7-gigabyte database, he added: "At the very least, it means mapping individuals with the Patreon campaigns they supported. There's more data. I'll look closer once the restore is complete."

    He said unpacking such a large archive file, sorting through its contents, and loading various MySQL database files takes time. Hunt, who maintains the widely visited have i been pwned? website, said he expected to index affected e-mail addresses on the service as soon as possible.

    Update 1: Hunt has now been able to sift through the data and has found 2.3 million unique e-mail addresses, including his own.

    According to Patreon officials, user passwords were cryptographically protected using bcrypt, a hashing function that's extremely slow and computationally demanding to use. Its use was one of the saving graces of the breach, since it meant crackers would have to devote vast amounts of time and resources to crack the hashes.

    With the inclusion of source code, however, it's possible crackers may find programming mistakes that could significantly accelerate the process. That's precisely what crackers did last month to bcrypt-hashed password data taken during the hack of the cheaters dating website Ashley Madison. Access to the source code may also expose the encryption key said to protect social security numbers and tax IDs.

    Hunt isn't the only one to view the contents. Several people have posted screenshots of the purported Patreon data on social media sites, including the image included at the top of this post. If authentic, some of the contents were generated on Patreon servers as recently as September 24. As this Ars post was being prepared, a variety of Patreon subscribers, including this one, took to Twitter to say they found their e-mail addresses in the dump.

    Patreon subscribers should make sure they have changed their compromised password, both on Patreon and on any other websites it may have been used. Patreon users should also be prepared for the very real possibility that anything they did on the donations site is now a permanent part of the Internet record.

    Update 2: Hunt said the release appears to include the entire database taken in the hack, including a fair number of private messages sent and received by users. "Obviously all the campaigns, supporters and pledges are there too," he wrote in one tweet. "You can determine how much those using Patreon are making." In a separate tweet, he wrote: "The dollar figure for the Patreon campaigns isn't the issue, it's supporters identities, messages, etc. Everything private now public."
    • Thanks Thanks x 2
  2. asap1


    Mar 25, 2013
    Likes Received:
    If its not another celebrity iCloud hack im not interested :)
  3. cobaltblue87

    cobaltblue87 Jr. VIP Jr. VIP

    Jun 30, 2014
    Likes Received:
    Geez, seems like it is just getting too easy, at this point.
  4. deancow

    deancow Power Member

    Jul 8, 2009
    Likes Received:
    Big companies just don't give a shit about security, it doesn't give a financial return so whats the point? untill they lose huge amounts of data ofcourse, then it can ruin the company.
  5. archon10

    archon10 BANNED BANNED

    Oct 10, 2011
    Likes Received:
    I'm actually not surprised by all of these hacks. Anyone who does development in corporate knows that higher ups don't understand security, don't care about it, and blow you off if you try to tell them something is insecure and should take more time to be secure and well written. It happens A LOT. Only time I've seen a company take security seriously was with Citrix. Small and midsize businesses don't care and slop together code that's done by people who don't know security.

    I just dropped a client who outsourced their code to India. Once again, another story of overseas cheap devs doing a crap job. These guys did a horrible job and lied about the application being secure, and the worst was that none of the data is secured in the database. We're talking socials, credit card numbers, etc. When I brought it up that the whole code base must be overhauled and everything sensitive must be encrypted, they blew me off and just wanted the app deployed and function to show investors. And this is the norm for most companies.
  6. accelerator_dd

    accelerator_dd Jr. VIP Jr. VIP

    May 14, 2010
    Likes Received:
    IM Wonderland
    I bet insurance companies start getting in the field, data theft insurance - huge market and less than 1% of companies get owned and hurt financially by a cyber attack.
  7. Aluminium

    Aluminium Jr. VIP Jr. VIP Premium Member

    Dec 5, 2013
    Likes Received:
    High-Quality Content Provider
    Home Page:
    Sooooo.. no naked pictures of Jennifer Lawrence this time? ;D
  8. jazzc

    jazzc Moderator Staff Member Moderator Jr. VIP

    Jan 27, 2009
    Likes Received:
    While the security of open source in comparison is stellar... meh.

    The real reason is that security is really really hard and the advantage is on the attacker site by far due to the abysmally large surface of attack vectors.

    Edit: Yes, the above doesn't mean that some people/companies/government entities simply don't care.