Patreon users - post-hack don't let extortionists scare you into paying a ransom

PatreonNearly every day I receive emails from people not just unfortunate enough to have had their personal contact details leaked as a result of the Ashley Madison hack, but that have also received blackmail emails from hackers threatening to expose their details.

I can sum up my advice as this: don't pay. There is no guarantee that paying a ransom will result in anything other than your bank account being depleted, and the probability of hackers contacting your friends, business associates and family to tell them about your apparent membership of the site seems remote.

I do believe, however, that online extortion is a growing internet threat - and that we are likely to see more and more attempts by blackmailers to scare DDoS-attacked websites into paying up, and businesses and individuals pressured to give in to criminals' demands or face the possible consequences of a public data leak.

Sure enough, reports are now emerging that customers of Patreon - which had 2.3 million users' email addresses and other user data stolen last month - are receiving blackmail threats.

Here's an example of just such a ransom demand, posted by Twitter user @SirCrest:

Patreon extortion email

Part of the email reads as follows:

Unfortunately your data was leaked in the recent hacking of the Patreon web site and I now have your information. I have your tax id, tax forms, SSN, DOB, Name, Address, Credit card details and more sensitive data. Now, I can go ahead and leak your details online which would damage your credit score like hell and would create a lot of problems for you.

If you would like to prevent me from doing this then you need to send 1 bitcoin to the following BTC address.

However, it appears that the blackmail email isn't being completely honest. (I know! Who would have thought it!?)

In a post on Patreon's website back in October, CEO and co-founder Jack Conte explained the extent of the data loss:

There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users

This week Conte has been busy reassuring users that any scam emails they have received attempting to blackmail them are inaccurate.

Patreon scam discussion

Clearly Patreon boobed badly, uploading its customer data to a test server that was not properly secured. But it doesn't appear that hackers have managed to grab gold of users' credit card numbers.

The blackmail emails are a scam. Once again, don't pay them a penny. Hit the delete button instead.

You can read more about the Patreon blackmail campaign on Troy Hunt's blog.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

One Response

  1. furriephillips

    November 24, 2015 at 11:10 am #

    Come on Graham,

    Before deleting, report the abuse to the sender's ISP via SpamCop (https://www.spamcop.net/) and help to reduce the number of systems unwittingly (or otherwise) complicit in these nefarious activities.

Leave a Reply