Patreon Hacked, Personal Data Accessed

AmiMoJo writes: In a blog post Jake Conte, CEO and co-founder of Patreon, writes: "There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key."

Re:"with a 2048 bit RSA key"

[Lobachevsky]

People assume the choices are "unencrypted" or "encrypted" and conclude encrypted is better. But then they're missing hashing. Encrypted data can be undone, it can be decrypted. Any encrypted data is just waiting for the day someone can decrypt it, and if the webserver is checking passwords this way, it means it's decrypting it constantly and anyone can hijack that ability.

Hashing cannot be undone (mathematically, it's called a one-way function). There's absolutely no way to email you your original password. That's why so many websites have a "reset password" instead, because they literally don't know your password. The webserver checks your password by hashing it and comparing that output with the old recorded value.

You'll sometimes also hear the term "salting", which basically means the webserver doesn't hash your password directly, but first appends or prepends some gibberish to your password that's unique to that webserver and then hashes it. The advantage of salting is that two webservers won't show on file the exact same hash for the same password. That means if I spend 20 years and solve the hashes for all possible passwords, I haven't unlocked every webserver on earth, I've just unlocked 1 webserver whose salt I copied, and to crack another webserver, I'd have to redo the painfully slow exercise of brute forcing.