Maker-funding site Patreon was hacked last week resulting in the dump of gigabytes of code and user data. User passwords were encrypted using bcrypt which suggests they are mostly safe but some users have found their data in the trove.
Founder Jack Conte wrote:
There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.
The data seems to have come from a debug version of the site that was visible to the Internet. The debug version included a “snapshot” of the production database. “We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be ‘decrypted.’ We do not store plaintext passwords anywhere,” wrote Conte.
Conte recommends changing your Patreon password and the password to any other site using a similar passphrase. He said no credit card information was leaked.