In yet another security breach, hackers dumped the information stored on the Patreon donations website online. The entire code base and the database on the servers were brought down and published. Security researchers and investigators are yet following trails to catch the criminals.
The data is currently being posted at several locations, primarily on the torrent websites to make it hard for the Patreon to stop the spreading. As per the initial reports, the databases are having millions of unique emails, details of the operation, internal communications and few other credentials in between the users and website. As per the security researchers, this hack has been executed by exploiting a single SQL Injection vulnerability on the website. SQL injection is a very commonly found vulnerability that can let the attackers execute arbitrary code on the database and then gain administrative privileges or whatsoever.
The hackers in this scenario did exactly the same. They first discovered the SQL Injection, and then dumped the entire database onto their systems, however, that should have ring the bell to the webmasters and network administration. The dump was somewhere near 13GB, and it takes a considerable amount of time to download the data.
However, there is a good news, the credentials of the users were protected by an encryption algorithm called as Bcrypt. If we talk about this algorithm, then it is one of the most secure algorithms and takes a hefty amount of time for an attacker to decode the hashed strings into plaintext password. The complexity has made it so high that the hardware requirement is massive and the time required to decrypt is in hundred years.
The algorithm is little heavy on the processors and is computing intense, but saves the credentials from any misuse. It has been said that even state-sponsored hackers can’t break through this hashing without waiting for a couple of years.
Other than that, it is disturbing for users to find their email addresses in the dump, and apparently, the spammers are going to use them for even more junk emails. Patreon for now isn’t saying much about the situation until the investigation is over.
It’s been well said that no computer in this world is 100-percent secure, even if you bury that 20 feet beneath the ground, it can still be compromised. Developers and Webmasters today rely on advanced algorithms and IDEs to secure their packages, still they get compromised because of the software itself or due to a bug in the code. Patreon is just the perfect example of it.