Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patreon Hacked, Personal Data Accessed

Posted by samzenpus on from the protect-ya-neck dept.

AmiMoJo writes: In a blog post Jake Conte, CEO and co-founder of Patreon, writes: "There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key."

79 comments

  1. "with a 2048 bit RSA key" by Anonymous Coward · · Score: 1, Insightful

    Erm,

    Passwords should never be encrypted. Anyone who signed up should assume their passwords are fucked, especially since the private key for decrypting them (assuming this guy even knows what he's talking about) is almost certainly in the app.

    1. Re:"with a 2048 bit RSA key" by Opportunist · · Score: 1

      So ... passwords should be stored in plain text and unencrypted?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:"with a 2048 bit RSA key" by willworkforbeer · · Score: 2

      Erm,

      Passwords should never be encrypted. .

      Can you splain that LI5? Is it because you could sign up some dummy accounts, using various well-chosen passwords, then hack the whole thing and figure out the encryption from those?

      Some of us, maybe just one of us, are somewhat encryption illiterate. I'm, uh, asking for a friend who's dumb like that.

      --
      Pretending this is my office full of bitter coworkers..
    3. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      I also find it hard to believe that the even managed to fit the tax form within the 2048 bits.
      More likely they used some other encryption on the data, then encrypted that key using RSA.

    4. Re:"with a 2048 bit RSA key" by lakeland · · Score: 3, Informative

      No, they should only store the hash.

    5. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 1

      No, they should be hashed and salted and stir fried.

    6. Re:"with a 2048 bit RSA key" by John+Bokma · · Score: 4, Insightful
      No. A password should be used as the parameter for a one-way function ("hash function") and the result should be stored. If the user logs in, the password given should be used as a parameter for the same one-way function. If the result is the same as the value stored, the password is the same. Good properties of such a hash function is that it's slow, that the probability of result values is uniformly distributed, and that similar input values don't result in similar output values.

      Because pre-calculated tables exist it's good practice to add a "salt" to the password. Otherwise one just calculates the hash value of '1234567' and looks in the results for this hash value.

      --

      Perl Programmer for hire
    7. Re:"with a 2048 bit RSA key" by John+Bokma · · Score: 1

      As far as I can see, so correct me if I am wrong, there is no need to store the private key (needed for decrypting) if the password is stored encrypted and the password entered is also encrypted and compared to the stored result, there is no need for decryption.

      --

      Perl Programmer for hire
    8. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      I think the issue is that if the private key was exploited, then every password could be decrypted and subsequently exploited. Security best practice is to store passwords using a hash (actually, salt+hash*10000 times) because decrypting passwords should never be necessary. Please correct me if I'm wrong, but there's nothing inherently weak with the encryption used in this case, it's just that the worst case scenario is far more readily exploitable than the worst case scenario when hashing is used properly.

    9. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      If the data was encrypted with a "2048 bit RSA key", that would take a TON of processing power. PGP, S/MIME, and other utilities use a hybrid system where the actual data is encrypted with a symmetric algorithm, and only the key to the data is encrypted with the RSA algorithm. Exponentiation takes a lot more CPU than shifting arrays or stuffing values through S-boxes.

      Also, how was it encrypted?. A SAN I worked with had self encrypting drives, but that only protected data if the drives were physically yanked out of the enclosure, or the SAN was told to erase data by zeroing all drive keys and start anew. It provided zero protection against a remote attack.

      Then there is keylength. A 2048 bit key is OK for now... but it is getting on the skinny side of things. For archiving data, 8192 to 16384 bit keys are starting to be used, with 4096 being often seen in the PGP/gpg realm.

      As for passwords, as many people here have stated, they need to be stored has a hash with a salt. Hell, UNIX was doing this since the 80s with crypt() using a few rounds of DES to handle two characters of salt, encrypt some zeroes using the user's password as the DES key, and spit the value out. This way, if two users had the same password, nobody would really know unless /etc/password was cracked.

      Sounds like shitty coding. Every backend database (except MarkLogic ) has the ability to encrypt in various fashions. This can be used by applications, separate VMs can be used to split functions, and the entire web backend can easily be slightly changed to afford "real" security.

      Oh well. Just another breach, only people stung will be the end users, as this breach will be forgotten about in 1-2 weeks as other things happen other news articles.

    10. Re:"with a 2048 bit RSA key" by willworkforbeer · · Score: 1

      I think the issue is that if the private key was exploited, then every password could be decrypted and subsequently exploited. Security best practice is to store passwords using a hash (actually, salt+hash*10000 times) because decrypting passwords should never be necessary.

      Private keys. Salt. Hash. Yep, that's ...that's exactly what I thought.
      Actually, thank you. I ... my friend should study up on these topics to be less igcryptorant.

      --
      Pretending this is my office full of bitter coworkers..
    11. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 1

      And if you bothered to read their actually statement about the hack (https://www.patreon.com/posts/3457485) you'd see it says:
      'We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere.'

    12. Re:"with a 2048 bit RSA key" by idji · · Score: 2

      Passwords should NEVER EVER be stored on a server for two reasons - they can be viewed by the admin who knows the key, and they can be viewed by the thief who steals them. Password hashes should be stored with salts. These can NEVER be reconstructed by anyone.

    13. Re:"with a 2048 bit RSA key" by idji · · Score: 3, Informative

      From the article We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere..
      No passwords were compromised.

    14. Re:"with a 2048 bit RSA key" by willworkforbeer · · Score: 1

      Virtual ModUp: Informative. Thanks.

      --
      Pretending this is my office full of bitter coworkers..
    15. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      2048 bit refers to the size of the keys, not the file size,

    16. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      Yes, except that you would rather use a one-way hash function, and create a unique salt for each user that you use to salt their password hash to avoid repeat passwords from different users having the same hash.

    17. Re:"with a 2048 bit RSA key" by Eythian · · Score: 1

      They used bcrypt, according to the article.

      "Encrypted" is often said when "hashed" is what is meant.

      You don't have private keys for hashing passwords.

      It's safest to assume that your password is compromised and act accordingly, but I doubt that it'll actually happen. bcrypt is a pain to brute-force.

    18. Re:"with a 2048 bit RSA key" by gweihir · · Score: 1

      The public does not know enough to understand what "hashed" means and even less so what bcrypt is. Hence this nonsensical talk about "encrypted" passwords. Nobody does that on server-side, not event those that have absolutely no clue.

      Bcrypt means that if you have a reasonable password and they used a reasonable cost-factor, then it is secure. It also means that a good password remains secure regardless of cost-factor, but a good password is secure after a single, non-salted conventional crypto-hash.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    19. Re:"with a 2048 bit RSA key" by gweihir · · Score: 1

      According to the actual blog-posting, the passwords are protected by bcrypt(). While they also say passwords are protected by an 2048 bit RSA-key, that is likely a mistake and refers only to credit card numbers, social security numbers and tax form information.

      Still, you do never use production data on test-systems that are not specially isolated, i.e. far more so than the production systems. This will likely be one of the first thing the security firm that they have hired will tell them. Ideally, you would only test with synthetic data, but that has rather strong limits in practice. Hence you test everything with outside connectivity with synthetic data, test everything that needs real data with the machines completely isolated and hope that is enough. Of course you also make sure to be able to roll back after deployment and of course this costs more money and needs more competent engineers than just using production data on non-isolated test systems.

      As usual, somebody needs to lose their job over this. I strongly recommend making it the person that _hired_ those that messed up or authorized this use of production data.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    20. Re:"with a 2048 bit RSA key" by Lobachevsky · · Score: 5, Insightful

      People assume the choices are "unencrypted" or "encrypted" and conclude encrypted is better. But then they're missing hashing. Encrypted data can be undone, it can be decrypted. Any encrypted data is just waiting for the day someone can decrypt it, and if the webserver is checking passwords this way, it means it's decrypting it constantly and anyone can hijack that ability.

      Hashing cannot be undone (mathematically, it's called a one-way function). There's absolutely no way to email you your original password. That's why so many websites have a "reset password" instead, because they literally don't know your password. The webserver checks your password by hashing it and comparing that output with the old recorded value.

      You'll sometimes also hear the term "salting", which basically means the webserver doesn't hash your password directly, but first appends or prepends some gibberish to your password that's unique to that webserver and then hashes it. The advantage of salting is that two webservers won't show on file the exact same hash for the same password. That means if I spend 20 years and solve the hashes for all possible passwords, I haven't unlocked every webserver on earth, I've just unlocked 1 webserver whose salt I copied, and to crack another webserver, I'd have to redo the painfully slow exercise of brute forcing.

    21. Re:"with a 2048 bit RSA key" by Stewie241 · · Score: 1

      Well... you can still brute force a lot of the passwords if you have the hash and the salt.

      Now if they encrypted the hashes then that might make for harder work.

    22. Re:"with a 2048 bit RSA key" by emj · · Score: 3, Interesting

      Don't be so sure, bcrypt was used at Ashley Madison but they still stored transformed and md5 hashed passwords in other places. Leading to this:

      http://cynosureprime.blogspot....

    23. Re:"with a 2048 bit RSA key" by tepples · · Score: 1

      True, passwords used by users to authenticate to site A need to be hashed with salt and key stretching when stored on site A. But the only way to let site A perform actions on site B on the user's behalf is to store a "password" for site B on site A's servers. For example, an RSS reader application may need to log into other sites to retrieve non-public feeds to which the user has subscribed.

    24. Re:"with a 2048 bit RSA key" by davester666 · · Score: 1

      Mmm. Time for another hit. And now, a dab of salt on the tongue. There. Now I feel like crap.

      --
      Sleep your way to a whiter smile...date a dentist!
    25. Re:"with a 2048 bit RSA key" by jaklode · · Score: 1

      Or you simply run it in production, wait for problems, and rollback :.... ;)

    26. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      You are slightly wrong about salting. Salt is usually unique for a user (maybe there's an additional salt for server, but not necessarily). That way, even if 2 or more users have the same password, they have different hashes.

    27. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      ...first appends or prepends some gibberish to your password that's unique to that webserver and then hashes it. .

      Good security practice is one hash per password, not per website.

    28. Re:"with a 2048 bit RSA key" by parkinglot777 · · Score: 1

      hashing scheme called ‘bcrypt’ and randomly salt each individual password

      Well... you can still brute force a lot of the passwords if you have the hash and the salt.

      Could you please tell me how long would it take to get even one correct password of an account using brute-force? Then how long would you need to get all accounts' password with brute-force? You may need to look for how they 'randomly select' salt for each account in order to reduce the time, I guess.

    29. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      Could you please tell me how long would it take to get even one correct password of an account using brute-force?

      Try "password" on each account, and at least one should work assuming a big enough database. Other common passwords should also work.

      The time it takes to attempt this for one password candidate is less than or equal to the time it takes for every single user to log in in the service using their correct password. If this takes long, they must have lots of servers dedicated to the log in process, which I doubt.

    30. Re:"with a 2048 bit RSA key" by Stewie241 · · Score: 1

      That was more a comment on typical human nature which results in people choosing dictionary based passwords.

      Also, it depends on the cost factor as well, obviously. I don't recall seeing an indication of what it was.

      Either way, it would be fairly reasonable to try, say, the top 30000 common dictionary passwords (and other common passwords) on each hash in the table. According to http://openwall.info/wiki/john..., you can do about 1000 bcrypt hashes per second on a single core of an i7 3k series. So you can try all 30000 dictionary passwords in 30 seconds on a single core. If you ran say, 1 million passwords, it would take 30 million seconds, which is 347 days. Now if you can rent a single of these cores for say, $25 a month (which I think is conservative but it's hard to find cloud compute based on a specific processor), you would need 12 of them for a month, which would cost $300.

      Magnified by my suspicion (completely not based on any scientific study) that:
      People with weaker passwords that would be found using the dictionary attack are:
        - More likely to reuse their passwords elsewhere
        - Less likely to pay attention to news like this
        - Less likely to actually change their password other places if they do find out about this

      you will have at least some payoff.

    31. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 1

      Good properties of such a hash function is that it's slow, that the probability of result values is uniformly distributed, and that similar input values don't result in similar output values.

      I would add that it should be a cryptographic hash since there are hash functions used for table lookups typically matches your other requirements better (Except for them being fast.) without taking reversability into consideration.

    32. Re:"with a 2048 bit RSA key" by gweihir · · Score: 1

      That can get excessively expensive. But no doubt some semi-competent wannabe "developers" are doing it this way.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    33. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      Hashing cannot be undone (mathematically, it's called a one-way function). There's absolutely no way to email you your original password. [...] You'll sometimes also hear the term "salting", which basically means the webserver doesn't hash your password directly, but first appends or prepends some gibberish to your password that's unique to that webserver and then hashes it. The advantage of salting is that two webservers won't show on file the exact same hash for the same password. That means if I spend 20 years and solve the hashes for all possible passwords, I haven't unlocked every webserver on earth, I've just unlocked 1 webserver whose salt I copied, and to crack another webserver, I'd have to redo the painfully slow exercise of brute forcing.

      Even with salting, if you find the salt in the same database, on disk, or in memory, you will be able to find basic passwords in a matter of seconds on a modern computer, particularly if the salt is unique to the server, instead of being unique to the user (the best is of course to have both salts, or even more, in different places of different nature)...

      Without salting, rainbow tables will find most basic passwords hashed using common algorithms near instantly.

      Also, while most breach announcements sound like a competition of who will have leaked data for the most people, don't forget that there can be high-value targets which can be focused upon. Maybe even just one person.

      Don't forget also that it's very seldom "one 15-year-old guy with one average three-year-old computer trying to crack passwords to troll some random guys"... First of course it can be one or more governments (possibly together, and not just "peaceful developed countries who definitely never will target any really innocent people like me under any circumstances"...). But then it can also be complete teams of crackers each with millions of zombie machines at their command, including servers, and even possibly some super-computers (including because they targeted these with specific attacks). The goals can be numerous too. It's seldom a "get a thousand bucks quick scheme"... It can include finding important data/correspondences, blackmailing, accumulating millions of dollars even with small targets if numerous enough (and possibly much more money, depending on the targets...), or even murder (and the motives are numerous too... maybe you published something displeasing some religious freaks, and they want your head... maybe you're shouting a bit too much against some governments -and not just your own, maybe some dictatorship half a world away-, even though you thought you were just "invisible in the noise"... maybe you made the wrong enemies through your business... maybe something that happened 5, 10, 20 years ago... they just needed a chance to find you... maybe some psychiatric weirdo is targeting you because you said "chair" on an image board 3 years ago... maybe some stalker who want to rape and kill you and your family just because... I mean, pretty much everyone in 'developed' countries will have his/her info published at least once soon... statistically, things like this will happen x number of times at least, because of it...).

    34. Re:"with a 2048 bit RSA key" by Anonymous Coward · · Score: 0

      And a easy way to salt the user's password is to use some mashed up form of their login id

      That would create a unique salt for every user, and thus prevent two users from having the same hash, even IF they have the same password.

      Anytime I sign up for a new site, I immediately use their reset password functionality, to try and determine how they store my password. If they send me my actual password (and I've had that happen) then I know the site is basically not safe, and I immediately change the password to a very long string of garbage, and then delete my account (if possible). I then find another site to provide the same functionality that doesn't store my password encrypted.

      You should NEVER be using encryption to store a password, EVER. If you do, you are basically saying to me that your skill at website development is that of a grade schooler at BEST.

    35. Re: "with a 2048 bit RSA key" by WarJolt · · Score: 1

      Let me explain a hash. You have a one way function f(password) = hash. This function cannot be reversed. The server stored the hash and then the client sends a password and the server uses the function before comparing it to the stored hash. Passwords are NEVER stored. It's a little more complicated than that, but that's the basics.

  2. Patreon still hacked by Khyber · · Score: 1, Informative

    People with artwork happening through Patreon are almost certainly having it ripped and distributed.

    I know of hundreds of Patreon people having their stuff ripped and distributed right now.

    --
    Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    1. Re:Patreon still hacked by QuasiSteve · · Score: 1

      How does that relate to being 'hacked' any more than the latest blockbuster movie released on blu-ray getting ripped and distributed?

      For a good chunk of Patreon content, you don't even have to bypass much of anything (unlike blu-rays' copy protection) as they're just regular youtube-hosted videos.

      There's a good discussion to be had there about content, ip rights, piracy, the pros/cons thereof and the pros/cons of using patreon and similar system in the first place, and whether or not it's terrible when it's people just trying to make a few bucks on the side but okay when they're getting $arbitrary_amount/month off of patreon - but in the context of 'hacked', the occurrence of videos getting downloaded and re-uploaded elsewhere does not seem to fit in.

    2. Re:Patreon still hacked by QuasiSteve · · Score: 1

      To self: GP meant "ripped by people who did not subscribe to and pay for that content", obviously. Where's your coffee?

      ( This realization came right after hitting submit, but now I'm stuck behind the "It's been 10 hours since you last successfully posted a comment." barrier :) )

    3. Re:Patreon still hacked by lucm · · Score: 1

      I know of hundreds of Patreon people having their stuff ripped and distributed right now.

      I can picture you looking at your bittorrent stream, laughing maniacally as you posted this comment

      --
      lucm, indeed.
    4. Re:Patreon still hacked by Anonymous Coward · · Score: 0

      Yeah, "artwork."

      (People pay for porn even in 2015. Who knew?)

    5. Re:Patreon still hacked by Khyber · · Score: 1

      It's not even a bittorrent stream. It's a freaking website that's posting the stuff. And no need for me to download any of it when I make my own! I just know it's there through my channels.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    6. Re:Patreon still hacked by thunderclap · · Score: 1

      You are assuming there is stuff on Patreon that is worthy of being ripped and distributed right now.

    7. Re:Patreon still hacked by DarkOx · · Score: 1

      I support a couple artists on Patreon because I like the stuff they do. I enjoy viewing it and I think it is interesting enough to patronize. Both of them post their stuff to their regular free youtube channels the same day. Its essentially the internet equivalent of being busker. They going to perform their art and if you want to help them out by throwing a few bucks in their virtual violin case they appreciate it.

      There is no problem there. I don't think artists are under any illusions about how the system works or that most of their viewers probably don't contribute directly.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
  3. This is getting tiresome by Anonymous Coward · · Score: 0

    *sigh*

    Everybody change your passwords...again. Everybody renew your credit cards...again. Everybody sign up for LifeLock....again. Everybody check your credit scores...again.

    1. Re: This is getting tiresome by Anonymous Coward · · Score: 0

      It's what they get for working for themselves online. The internet was never designed to be a secure marketplace. Get a real job. Stop cluttering the internet with things you want to sell. It's really getting tiresome.

    2. Re: This is getting tiresome by lucm · · Score: 1

      Yes! Less nice things to buy! More bitter comments! That's the internet we deserve!

      --
      lucm, indeed.
    3. Re: This is getting tiresome by Anonymous Coward · · Score: 0

      Hey, thanks for turning computer into the new idiot box.
      Whatever point you are trying to make is ignorant. You don't need to clutter up the net to have access to nice things. You could go to a store. You're just lazy and a miser so you have to scour the globe for "deals."
      Fuck you for killing the internet, the video store and peoples' attention span.

    4. Re: This is getting tiresome by lucm · · Score: 1

      But... what about porn?

      --
      lucm, indeed.
    5. Re: This is getting tiresome by Anonymous Coward · · Score: 0

      So much edge. And straw.

  4. Patreon deserved to be hacked by Anonymous Coward · · Score: 0

    Patreon is full of talentless beggars who harass people for money similar to Jimbo "A Personal Appeal" Wales. I hope all Patreon users get their penises chopped off.

  5. Nice by Anonymous Coward · · Score: 0

    Anybody names Sam Yam deserves to be hacked

    1. Re:Nice by willworkforbeer · · Score: 1

      Sam Yam deserves to be hacked

      Please, finish your Dr Suess thought ... you know you wanna.

      --
      Pretending this is my office full of bitter coworkers..
    2. Re: Nice by Anonymous Coward · · Score: 0

      Sam Yam deserves to be hacked.
      Sam Yam has no tact.
      Sam Yam doesn't give a shit,
      about his users. Not on little bit!

      (Different AC here, bit I couldn't resist....)

  6. Patreon does what exactly? by Anonymous Coward · · Score: 1

    I've never heard of this outfit...What the fuck is it that they do? Doesn't seem that hard to give a description of the business.

    1. Re:Patreon does what exactly? by lucm · · Score: 1

      they do things that can easily be found out by googling their name

      --
      lucm, indeed.
  7. Is the private key secured? by DoofusOfDeath · · Score: 4, Interesting

    If they let someone into their servers by accident, shouldn't we / they also be curious if the private key has been stolen, even if not stored on those servers?

    1. Re:Is the private key secured? by Anonymous Coward · · Score: 0

      How does the HTTPS server decrypt incoming traffic if the private key is not on the server itself (local copy to disk or in memory)?

    2. Re:Is the private key secured? by AmiMoJo · · Score: 1

      The passwords are actually the least interesting part of the leak. There are unencrypted private messages and a user database that allows you to see who was supporting whom.

      Expect some interesting articles about people like Thunderf00t and Sargon of Akkad in the next few days. Their private messages are likely a goldmine of damning information and may help the campaign to get them de-funded.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  8. Who? by Anonymous Coward · · Score: 1

    Their about page says absolutely nothing about them, what they do or anything. How do they have anyone using what ever service they may be providing? Does anyone do any fucking research into the "businesses" they decide to do business with?

    If a company can't put more than 2 fucking sentences about them on their about page, do they really even know who they are?

    1. Re:Who? by Anonymous Coward · · Score: 0

      Plenty of people know about, and use, patreon.

    2. Re:Who? by Anonymous Coward · · Score: 1

      Their about page says absolutely nothing about them, what they do or anything. How do they have anyone using what ever service they may be providing? Does anyone do any fucking research into the "businesses" they decide to do business with?

      If a company can't put more than 2 fucking sentences about them on their about page, do they really even know who they are?

      Paetron is a service whereby artists, musicians, etc. can seek sponsors to fund their craft. In years of old musicians and artists often had a wealthy patron; this simply makes it possible for the masses to fund their artist or musician of choice.

    3. Re:Who? by Anonymous Coward · · Score: 1

      It's like kickstarter, but there's no set goal and it pays monthly. There are many artists and content creators using it, and there are also many people who don't actually produce anything (or products of little effort), giving it the nickname 'hipster welfare.'

    4. Re:Who? by Blaskowicz · · Score: 1

      Is it like begging in the streets? which musicians still do.

    5. Re:Who? by Anonymous Coward · · Score: 0

      Yes, but the key difference is with Patreon you don't have to wear pants. Hence their motto: "Patreon, pants off!"

    6. Re:Who? by tlhIngan · · Score: 1

      Paetron is a service whereby artists, musicians, etc. can seek sponsors to fund their craft. In years of old musicians and artists often had a wealthy patron; this simply makes it possible for the masses to fund their artist or musician of choice.

      And this hack may not seem to reveal any useful information - after all the payment information and passwords are either hashed, or not stored.

      But there's a lot of "social networking" type information - you can find out what a subscriber sponsors, and even find out how much an artist actually makes in a month. (This can be useful information if you've wanted them to do a piece on something, but they always said some other group always paid more - I know of an artist who paints and what he paints depends on which group paid the most).

      Then there are the folks who use Patreon for support... now you get to find out how much they REALLY make in a month. I know of several YouTube content creators who release videos for free, and get ad money, but also solicit funds from Patreon, as well as sell advertising on their website and other things. Sometimes just out of curiosity you wonder how much they're pulling in for this "full time job".

      Some of the analytics might prove interesting and maybe that "starving artist" you see might not be quite so starving after all.

    7. Re:Who? by RedK · · Score: 1

      now you get to find out how much they REALLY make in a month.

      Now ? This information was always public on Patreon :

      https://www.patreon.com/user?u...

      You can publicly see the number of patrons and the monthly revenue they generate. If they have their patreon set to per-creation instead of per-month, you still get the stats per-creation, as in, per-video for instance:

      https://www.patreon.com/sargon...

      So this hack doesn't even reveal that. At best, it can reveal who is a patron of who, which is not dessimated to the public.

      --
      "Not to mention all the idiots who use words like boxen."
      Anonymous Coward on Monday August 04, @06:49PM
    8. Re:Who? by Anonymous Coward · · Score: 0

      There are many members of the site that donate to themselves in order to make it look like they are worth donating to. There are others whose parents donate large sums to them in an effort to make it look as though their child is creating some worthwhile content. Basic beggar practices (a coffee can that's jingling with change has a proven effect to gather more donations than a silent one) This will show who's been priming the pump and cast many liars into the light that have used their Patreon donation rates as a sign of success and a weapon to use against those that criticize their "work".

      Also, what I find most-dubious is the "We do not store any payment information on the site" -- then how in the fuck do they bill the cards monthly?

  9. So, not protected at all by Anonymous Coward · · Score: 0, Insightful

    You don't 'protect' static data with RSA.

    1. Re:So, not protected at all by Anonymous Coward · · Score: 1

      They very likely mean that they use a 2048-bit RSA key to encrypt a symmetric cipher key like AES or whatever. This is how certificates work when used for encryption (eg. SSL, etc). In fact this is how most encryption systems work (LUKS, TrueCrypt, BitLocker, etc). Your key or passphrase is used to "unlock" (ie. decrypt) a master key which is the actual cipher key.

  10. And put a logout link on the top! by khasim · · Score: 1

    While we're covering the potential errors of Patreon, how about making the logout link/button easier to find? I'm tired of closing the entire browser to clear my connection to them.

    1. Re:And put a logout link on the top! by sims+2 · · Score: 2

      I still think all websites should support a universal logout.

      Like so;

      www.google.com/logout
      www.slashdot.com/logout
      www.ihatefacebook.com/logout
      and so on.

      Most every website supports robots.txt how hard could a URL based standardised logout be?

      --
      Minimum threshold fixed. Thanks!
  11. Spongers got taken advantage of by Anonymous Coward · · Score: 0

    GenZ hipsters looking for free money get ripped off? Cue the fake outrage. Here's a life lesson, kiddies - go get a job.

    1. Re: Spongers got taken advantage of by Anonymous Coward · · Score: 0

      We'd love to, but they've all been automated, outsourced, exported or H-1B'd.

    2. Re: Spongers got taken advantage of by Anonymous Coward · · Score: 0

      Those Humanities degrees just don't command the respect they used to.

  12. REALLY? by Anonymous Coward · · Score: 0

    Until we find out that they never salted them, nor used pepper. Then we are cooked beyond believe with no seasonings.

  13. Stop using the word "hacked" by Anonymous Coward · · Score: 1

    Companies are rarely "hacked" in the traditional sense. Nine times out of ten it is an inside job or a disgruntled employee that leaks crucial details to facilitate a breach. In any case, the evidence of either is indistinguishable.

  14. Related links by Anonymous Coward · · Score: 0

    Related Links

            1307 Greece Rejects EU Terms
            1097 Two Gunman Killed Outside "Draw the Prophet" Event In Texas
            894 Pope Francis: There Are Limits To Freedom of Expression
            776 Worker Fired For Disabling GPS App That Tracked Her 24 Hours a Day
            760 $56,000 Speeding Ticket Issued Under Finland's System of Fines Based On Income

    Someone forgot to add the 'salt' to these.

  15. If they send me my actual password (and I've had by Anonymous Coward · · Score: 0

    If they send me my actual password (and I've had that happen)

    TracFone and its associated sites do this