It looks like hackers quietly siphoned data from Patreon, the site for financing creative people’s work via the crowd, for a very long time. That said, more than half the user emails found in the hack bear the markings that suggest they were likely fake accounts.
The Observer reported on a massive data dump from Patreon, in which something like a 15 gigabyte file was stolen from the site. In that post, the Observer turned to an expert consultant to give us a quick read on what could possibly be read in that dump. Since then, the Observer has received an analysis of the data from an anonymous source who claimed to have no affiliation with any of the parties that have been pointed out over the course of the controversy around the hack.
One security site explained how the company believed the hack was executed, but not much new has come out about the data dump since it was posted last week. A recent story in the San Francisco Chronicle revisited the widely reported site that is still hosting a copy of the stolen file. The data posted there was stolen from a test site that Patreon had set up using at least part of what multiple sources have said appears to be its real user database.
‘I felt at the time that a lot of accounts were not real.’
Before we go into the findings from our anonymous source, we should be clear that we also don’t know who this person is. He or she contacted us through the Tor network, in order to obscure their identity. We ran the correspondent’s findings by another security expert who has taken a look at the stolen data, Troy Hunt, the proprietor of Have I Been Pwned. Having looked at the leaked data himself, Mr. Hunt confirmed that the findings appeared to come from someone who really has looked at the data.
The Observer acknowledges that our correspondent may have some ulterior motive in sharing this information that isn’t readily evident given the complexity of online subcultures and their trolls.
The following comes from someone who cannot be held accountable for their assertions. That said, here are some interesting points made in the anonymous message about the data:
- A lot of the leaked accounts appear to be fake: Of the 2,275,681 users our source said were shown in the hack, he or she wrote that 1,187,259 users were created between August 21 and 24, by accounts using Yahoo, Hotmail and other services with random strings for the beginning of addresses and for first names, with no last names. Mr. Hunt expanded on why our source could be right to guess that 1.2 million accounts are fake. “You can look for trends in the patterns of addresses or structure of associated data,” he wrote. “I felt at the time that a lot of accounts were not real.” He added that this might have been test data automatically generated by Patreon since the hack took place on a test version of the site. Our source suggested that they could have been made by a site or sites aggressively ripping data from Patreon.
- 18 days inside: To open and work with the file, a user would need vastly more free hard drive space than most people have, according to our correspondent, who said the database alone takes up 69.8 GB. He or she estimates that the hack took 18 days to download, because the oldest record in the hack was dated September 10 and the last session was dated September 28.
- Home addresses compromised: Our source found roughly 17,000 addresses, 99 percent in one table with a little over 1,100 in another. Of course the writer did not say he actually checked to see if the addresses were real. Many could have been as phony as the emails. There were also, we were told, 31,421 Paypal emails, and 386,853 records that showed the last four digits of users’ credit cards (the hacker who claimed credit, ‘Vince,’ had also mentioned this on Twitter).
- Rewards and messages: The rewards table had 3.5 GB and messages had 1.3 GB. Our source told us nothing about what was in them.
- Tax info looks safe: The encryption key isn’t in there, according to the person who contacted us.
Patreon declined to comment for this story.
We’re still no closer to knowing why “Vince,” the name of the hacker that claimed credit on Twitter before the hack became public, executed this hack; however, if the information we received here is accurate, 18 days is a lot of effort to go to for “lulz.”