We showed the Patreon data dump, which we first saw posted on Mega.NZ this morning, to Erik Cabetas of Include Security. He looked at the ‘patredump.tar.gz’ file circulating today and gave us a few insights on it. Ars Technica made the first report on the dump.
“Looks like this Vince guy might be a hacker who got lucky,” Mr. Cabetas wrote in an email. “He’s bragging publicly and has left enough of a public trace he’ll likely get caught unlike the AshleyMadison hackers.” The Observer previously reported on what appears to be known about the hacker so far.
There’s much more data in the hack than was first realized. Users passwords may be safe, but a lot of other information will be in the open.
Mr. Cabetas indicated the following sorts of data points will soon be viewable as unpacked data makes it into the wild:
- Messages. Here’s hoping no one said anything too mean or two sweet inside Patreon messages, because that’s all live now.
- Everyone who backed each creator on the site. So, for example, we may see people feeling stunned/betrayed/horrified about who is supporting which creators.
- DMCA takedowns. Patreon is logging these in their database, so anyone trying to score Patreon dollars for posting other people’s IP will be exposed. Or, perhaps, the people paying them to do so will turn out to be more significant.
- Amounts of money. How much creators were earning in a given month will come out.
- Shipping addresses. A doxers dream, sadly.
- Encrypted tax forms. Mr. Cabetas could not find a key for it, however.
- “user_location” table. What could that be if there’s already a shipping address table?
With only an hour’s worth of analysis, Mr. Cabetas wasn’t able to go too deep, but he pointed to the metadata on the .tar.gz file that might indicate a name.
$ tar tfvz patredump.tar.gz
-rw-r–r– lain/lain 17992 2015-09-28 12:08 patreon
-rw-r–r– lain/lain 14800584447 2015-09-28 06:46 patreon.sql
-rw-r–r– lain/lain 126460372 2015-09-28 12:10 patreon.tar.gz
-rw-r–r– lain/lain 1049 2015-09-28 12:17 README
He said that “lain” shown there could be a clue to the user’s true name or another handle he or she uses, because, as he explained, “When you create a .tar file, it takes the user name that you are logged into your computer as and it embeds that into the metadata of the .tar file.” The attacker may or may not have been aware of this.
Mr. Cabetas said that all Patreon’s OAuth access tokens and other login token tables should be completely wiped so that everyone has to login and reset their passwords entirely, immediately, based on what he’s seen.
UPDATE: Further analysis, Mr. Cabetas, showed the config files described in a previous version of the story to additional Include Security staff. The team found the third party keys to be “sandbox keys” rather than live keys, so hackers should not have been able to access those services as Patreon, as previously descirbed. October 2, 2015 12:37 PM.