STE WILLIAMS

Attackers who compromised Patreon have dumped the data on various bin sites.

It’s perhaps a small irony that one of the dumps has landed on Mega, the Kim Dotcom-founded file-store that calls itself “The Privacy Company” (note: Dotcom is no longer involved with the business and says people should avoid it*).

Microsoft security bod Troy Hunt has promised an analysis of the data, but warns it’s a big dump that might take some time. His short take on Twitter is that the dumps look like the real thing.

I’ve had multiple reports of people finding themselves in the Patreon data, seems legit, just a question of data types and volumes now.

— Troy Hunt (@troyhunt) October 2, 2015

Hunt expects to add Patreon members to his HaveIBeenPwned service once he’s worked through the multi-gig data dump.

While of a different order to the Ashley Madison data dumps, there are two issues Patreon members could face. The first is that there may be personal or employment reasons for contributing anonymously to projects (or political reasons, for that matter); the second, that any leak of personal data helps identity thieves.

With 15 GB of data in the drop, there could be a lot of personal details in the leak (Vulture South is happy to leave it to others to pore over the data).

And unlike Ashley Madison, there’s no suggestion that the Patreon lists are salted or polluted by substantial numbers of fake profiles.

Since site source code is apparently included among the compromised data – as Patreon explained, the data leak happened because a debug version of the site ended up outside the firewall – there’s a risk that the site’s code might help attackers recover the bcrypt-hashed data. ®

*Bootnote Earlier this year, Dotcom told Slashdotters he’d severed his ties with Mega.nz and it was not to be trusted. ®

Sponsored:
Go beyond APM with real-time IT operations analytics

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2015/10/02/patreon_attackers_drop_data_expose_users/