Slashdot Mirror

← Back to Stories (view on slashdot.org)

Patreon Hacked, Personal Data Accessed

Posted by samzenpus on from the protect-ya-neck dept.

AmiMoJo writes: In a blog post Jake Conte, CEO and co-founder of Patreon, writes: "There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key."

6 of 79 comments (clear)

  1. Re:"with a 2048 bit RSA key" by lakeland · · Score: 3, Informative

    No, they should only store the hash.

  2. Re:"with a 2048 bit RSA key" by John+Bokma · · Score: 4, Insightful
    No. A password should be used as the parameter for a one-way function ("hash function") and the result should be stored. If the user logs in, the password given should be used as a parameter for the same one-way function. If the result is the same as the value stored, the password is the same. Good properties of such a hash function is that it's slow, that the probability of result values is uniformly distributed, and that similar input values don't result in similar output values.

    Because pre-calculated tables exist it's good practice to add a "salt" to the password. Otherwise one just calculates the hash value of '1234567' and looks in the results for this hash value.

    --

    Perl Programmer for hire
  3. Is the private key secured? by DoofusOfDeath · · Score: 4, Interesting

    If they let someone into their servers by accident, shouldn't we / they also be curious if the private key has been stolen, even if not stored on those servers?

  4. Re:"with a 2048 bit RSA key" by idji · · Score: 3, Informative

    From the article We protect our users’ passwords with a hashing scheme called ‘bcrypt’ and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be “decrypted.” We do not store plaintext passwords anywhere..
    No passwords were compromised.

  5. Re:"with a 2048 bit RSA key" by Lobachevsky · · Score: 5, Insightful

    People assume the choices are "unencrypted" or "encrypted" and conclude encrypted is better. But then they're missing hashing. Encrypted data can be undone, it can be decrypted. Any encrypted data is just waiting for the day someone can decrypt it, and if the webserver is checking passwords this way, it means it's decrypting it constantly and anyone can hijack that ability.

    Hashing cannot be undone (mathematically, it's called a one-way function). There's absolutely no way to email you your original password. That's why so many websites have a "reset password" instead, because they literally don't know your password. The webserver checks your password by hashing it and comparing that output with the old recorded value.

    You'll sometimes also hear the term "salting", which basically means the webserver doesn't hash your password directly, but first appends or prepends some gibberish to your password that's unique to that webserver and then hashes it. The advantage of salting is that two webservers won't show on file the exact same hash for the same password. That means if I spend 20 years and solve the hashes for all possible passwords, I haven't unlocked every webserver on earth, I've just unlocked 1 webserver whose salt I copied, and to crack another webserver, I'd have to redo the painfully slow exercise of brute forcing.

  6. Re:"with a 2048 bit RSA key" by emj · · Score: 3, Interesting

    Don't be so sure, bcrypt was used at Ashley Madison but they still stored transformed and md5 hashed passwords in other places. Leading to this:

    http://cynosureprime.blogspot....