It initially looked like last week’s news of Patreon being hacked was just another run-of-the-mill story about a cybersecurity breach. But it turns out there may be more to it.
Ars Technica is reporting that the information acquired by hackers has been posted online in the form of a “data dump.” The information was analyzed by a security researcher, who concluded that it appears to be authentic data from Patreon’s servers. The researcher was eventually able to restore a database from the hacked files and search it, where he found his own e-mail address, as well as the e-mail addresses of other Patreon users.
Account passwords that were extracted during the hack were protected using an encryption scheme called bcrypt. This is good news, as bcrypt requires a lot of computational power to crack. However, hackers were able to acquire some additional source code during the attack. They may be able to use that code to more easily defeat the bcrypt encryption. That’s what happened during the recent high-profile Ashley Madison hack.
Patreon hasn’t released an updated statement to its original security notice. It’s still highly recommended that users reset their passwords, as well as passwords to other accounts that might’ve used the same password.