It’s been a bad day for online security. Patreon, a crowdfunding website designed to let fans pay artists, has just had 15GB of its user’s data — and the site’s source code — dumped online.


The 13.7-gigabyte data dump appeared on the internet today, and according to Ars Technica and security researcher Troy Hunt (of haveibeenpwned fame), it’s legit. The database contains information and identities about artists and donors, private messages between users, and source code for the site itself — alongside email addresses and passwords, which can always be used to compromise accounts on other websites, if users used the same credentials across sites (which they almost always do).


Patreon says that the good news is no credit card data was taken. In a post acknowledging the hack yesterday, the company said:

We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.

Even though the passwords were encrypted, they’re far from immune: although brute-forcing the information would take time, it’s possible that programming mistakes will be revealed in the leaked source code, enabling hackers to crack the passwords much faster. As Ars points out, that’s exactly what happened with the Ashley Madison hacks.

So, for Patreon users, it’s probably an excellent time to go change your passwords, not just on the site itself, but anywhere on the ‘net you use the same username/password combo. (Yes, I know you do it.) For the rest of us, it’s another depressing reminder that even the nicest, non-adultering websites can — and d0 — get hacked.


[Ars Technica, Patreon]