Yesterday I learned that there was unauthorized access to a Patreon database containing user information. Our engineering team has since blocked this access and taken immediate measures to prevent future breaches. I am so sorry to our creators and their patrons for this breach of trust. The Patreon team and I are working especially hard right now to ensure the safety of the community.
There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.
Yeah, never good news, but at least Patreon was upfront about it and was transparent. It SHOULD all be safe and there SHOULDN'T be any risk to you, but what you should DEFINITELY DO in any situation where a site gets breached is CHANGE YOUR PASSWORD IMMEDIATELY.
According to their blog post, they did use a strong form of password hashing called bcrypt, which is one of the strongest methods of hashing passwords available. A lot of other information was protected behind a 2048-bit RSA key, so it is reassuring that they do take security seriously, but these situations unfortunately are becoming more commonplace, so it's important you are able to react accordingly.
Just a really good, useful Marriland tip about password security: reusing passwords is a BAD IDEA! One of the best things you can do to beef up your security is to memorize one very, very strong password (or long multiple-word passphrase) and use a password manager like LastPass, KeePass, or 1Password. These can all store your passwords for sites behind very, very strong encryption, and you can generate random passwords for every site you register for.
By having a unique password on every site, if one site gets hacked, only THAT site is potentially vulnerable and you only need to change your password on THAT site. But if you use the same password on multiple sites, all it takes is for ONE password to get hacked on ONE site and a hacker could gain access to anywhere that is reusing that password. And trust me, they will try social networks, e-mail addresses, and, worst of all, bank account and credit card sites.
The most important types of sites you should use unique passwords for are:
- Your primary e-mail account (if someone hacks this, they can receive password resets for any other site)
- Your banking sites and credit card sites
- Any shopping website that stores credit card information
- Facebook, Twitter, tumblr, or any other social network, since these are likely to draw attention of bots
That's not a conclusive list by any means, but a good place to start.
Anyway, I hope that this does not concern you Patrons! I will continue to use Patreon and believe in its security, but it is always good to be mindful of any issues like these as they happen so you can take the appropriate measures! Hope this gave some good insight to the situation as well!
AND WELCOME TO OCTOBER!! :)