Security Affairs
JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Patreon crowdfunding site hacked and data leaked online

The Crowdfunding website Patreon has been hacked and about 15 gigabytes of data including names, addresses and donations have been published online. The data have been available on different servers online locations, including this source. The Patreon website collects donations to artists for projects, according to the information provided by the chief executive Jack Conte, credit card […]

Patreon crowdfunding site hacked and data leaked online

The Crowdfunding website Patreon has been hacked and about 15 gigabytes of data including names, addresses and donations have been published online.

The data have been available on different servers online locations, including this source.

The Patreon website collects donations to artists for projects, according to the information provided by the chief executive Jack Conte, credit card details were not stolen. According to official statistics published by Patreon the company website reached nearly 16 million of views per month in June 2015.

“We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.  No specific action is required of our users, but as a precaution I recommend that all users update their passwords on Patreon.” he wrote on the Patreon blog.

Conte confirmed that passwords were encrypted, but anyway he urges Patreon users to change their login credentials.

Patreon website hacked

As reported by ArsTechnica, five days before Patreon staff disclosed the data breach, researchers at Swedish security firm Detectify reported the company a serious programming. The researchers speculate that the exploitation of that flaw allowed hackers to steal data.

Patreon developers allowed a Web application tool known as the Werkzeug utility library to run on its production environment, the same application was used also by the real users of the website.

According to the experts the hackers exploited the Werkzeug debugger to execute arbitrary code from within the browser, the flaw was well known since last December when was discovered by a researcher.

“This is basically Remote Code Execution by design,” Detectify researcher Frans Rosén wrote in ablog post published Friday morning. “An RCE is basically game over. You can inject code directly to the application, exposing all data on the server which the application has access to.”

Rosén explained that the ability to run arbitrary code is supposed to be triggered after a developer enters a secret key that’s generated when the debugger first loads. The debugger will get activated every time a Web app throws an exception, as a result, even unauthorized user who visited Patreon could activate the debugging tool forcing an error condition.

“Most certainly they created an interactive shell which connected to them remotely, which would make it possible for them to walk around the server and push all data over to the attackers,” Rosén wrote in an e-mail to Ars. “The good thing is that since all communication of the commands sent into Werkzeug are done via GET-requests, [Patreon officials] will most certainly be able to see exactly what commands that was being issued. However, it’ll probably just reveal a creation of an interactive shell which [the hackers] then used to extract all the data.”

Cyber security expert Troy Hunt confirmed that the data disclosed online appears to be genuine despite “many tens of thousands” appeared to be auto-generated.

Hunt identified 2.3 million unique email addresses in the stolen data, including his own.

Stay Tuned!

Pierluigi Paganini

(Security Affairs – Patreon , data breach)