Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED 13 MINUTES AGO.
You are here: Home / Network Security / Crowdfunding Site Patreon Hacked
Crowdfunding Web Site Patreon Hacked
Crowdfunding Web Site Patreon Hacked
By Jennifer LeClaire / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
OCTOBER
05
2015
Jack Conte [pictured], CEO of crowdfunding Web site Patreon, has reported unauthorized access to a Patreon database containing user information. Although he has assured users that the firm’s engineering team has since blocked this access and taken immediate measures to prevent future breaches, the initial damage has been done.

“The unauthorized access was confirmed to have taken place on September 28th via a debug version of our Web site that was visible to the public,” Conte, also cofounder of the company, wrote in a blog post. “Once we identified this, we shut down the server and moved all of our non-production servers behind our firewall.”

What the Hackers Got

Specifically, there was unauthorized access to users' registered names, e-mail addresses, posts, and some shipping addresses. What’s more, some billing addresses that were added prior to 2014 were also accessed. However, Patreon said it does not store full credit card numbers on its servers and no credit card numbers were compromised.

“Although accessed, all passwords, Social Security numbers and tax form information remain safely encrypted with a 2048-bit RSA key,” Conte said. “No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.”

Conte explained that Patreon protects its users’ passwords with a hashing scheme called "bcrypt" and randomly salt each individual password. Bcrypt is non-reversible, so passwords cannot be decrypted. "Salting" is a security practice of adding random data (a "salt") to a password before hashing it and storing the hashed value. Conte said Patreon does not store plaintext passwords anywhere.

“I take our creators’ and patrons’ privacy very seriously. It is our team’s mission to help creators get paid for the immeasurable value they provide to all of us, and earning your trust to provide that service in a safe and secure way is Patreon’s highest priority,” Conte said. “Again, I sincerely apologize for this breach, and the team and I are making every effort to prevent something like this from happening in the future.”

Incorporating Security

We caught up with Ken Westin, senior security analyst at Tripwire, to get his thoughts on the Patreon breach. He told us it's a challenge for companies to incorporate security into their DevOps processes. However, it is becoming increasingly important to do so, he said.

“This breach reveals a vulnerability that thousands of other sites are also exposed to due to a debugging configuration and utility running on these systems. Security teams need to secure all infrastructure, including development and testing environments, not just systems in production,” Westin said.

“If security is incorporated at the time systems are architected, it can save a great deal of time down the road, along with reduce the risk of a compromise. But, this requires more resources for security teams that may already be stretched thin," he added.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN NETWORK SECURITY

NETWORK SECURITY SPOTLIGHT
China-based Vivo will be the first company to come out with a smartphone featuring an in-display sensor for fingerprint security, beating Apple, Samsung, and other device makers to the punch.

CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.