Important Security Notice from Patreon

Patreon-logo

Patreon have released an important security notice which, yes, brings unwelcome news of a database breach:

Yesterday I learned that there was unauthorized access to a Patreon database containing user information. Our engineering team has since blocked this access and taken immediate measures to prevent future breaches. I am so sorry to our creators and their patrons for this breach of trust. The Patreon team and I are working especially hard right now to ensure the safety of the community.

There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.  No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.

Here are some technical details of the incident:

  • The unauthorized access was confirmed to have taken place on September 28th via a debug version of our website that was visible to the public. Once we identified this, we shut down the server and moved all of our non-production servers behind our firewall.
  • There was no unauthorized access of our production servers. The development server included a snapshot of our production database, which included encrypted data.
  • The development server did not have any private keys that would allow login access to any other server. We verified our authorization logs on our production servers to ensure that there was not any unauthorized access.
  • As a precaution, we have rotated our private keys and API keys that would allow access to third-party services that we use.
  • We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.

As soon as we discovered this issue, our engineering team immediately prevented further access and is now conducting a rigorous investigation of our security systems. We are also engaging a 3rd party security firm to do a comprehensive internal security audit and will be implementing new tools and practices to ensure industry-leading security for our users and their data.

I take our creators’ and patrons’ privacy very seriously. It is our team’s mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon’s highest priority. Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.

Jack Conte, CEO/Co-founder, Patreon

So that sucks.

To change your Patreon password, hit up your settings page on the site and avail yourself of the Change Password link. On the plus side, Patreon seem to have taken all the right steps, both in terms of responding to the breach and in terms of how they went about securing user data in the first place (e.g. using non-reversible encryption; hello, Adobe!).