Patreon users – post-hack don’t let extortionists scare you into paying a ransom

Graham Cluley

Patreon users - post-hack don't let extortionists frighten you into paying a ransom

PatreonNearly every day I receive emails from people not just unfortunate enough to have had their personal contact details leaked as a result of the Ashley Madison hack, but that have also received blackmail emails from hackers threatening to expose their details.

I can sum up my advice as this: don’t pay. There is no guarantee that paying a ransom will result in anything other than your bank account being depleted, and the probability of hackers contacting your friends, business associates and family to tell them about your apparent membership of the site seems remote.

I do believe, however, that online extortion is a growing internet threat – and that we are likely to see more and more attempts by blackmailers to scare DDoS-attacked websites into paying up, and businesses and individuals pressured to give in to criminals’ demands or face the possible consequences of a public data leak.

Sure enough, reports are now emerging that customers of Patreon – which had 2.3 million users’ email addresses and other user data stolen last month – are receiving blackmail threats.

Here’s an example of just such a ransom demand, posted by Twitter user @SirCrest:

Patreon extortion email

Part of the email reads as follows:

Unfortunately your data was leaked in the recent hacking of the Patreon web site and I now have your information. I have your tax id, tax forms, SSN, DOB, Name, Address, Credit card details and more sensitive data. Now, I can go ahead and leak your details online which would damage your credit score like hell and would create a lot of problems for you.

If you would like to prevent me from doing this then you need to send 1 bitcoin to the following BTC address.

However, it appears that the blackmail email isn’t being completely honest. (I know! Who would have thought it!?)

In a post on Patreon’s website back in October, CEO and co-founder Jack Conte explained the extent of the data loss:

There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users

This week Conte has been busy reassuring users that any scam emails they have received attempting to blackmail them are inaccurate.

Patreon scam discussion

Clearly Patreon boobed badly, uploading its customer data to a test server that was not properly secured. But it doesn’t appear that hackers have managed to grab gold of users’ credit card numbers.

The blackmail emails are a scam. Once again, don’t pay them a penny. Hit the delete button instead.

You can read more about the Patreon blackmail campaign on Troy Hunt’s blog.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

One Reply to “Patreon users – post-hack don’t let extortionists scare you into paying a ransom”

  1. Come on Graham,

    Before deleting, report the abuse to the sender's ISP via SpamCop (https://www.spamcop.net/) and help to reduce the number of systems unwittingly (or otherwise) complicit in these nefarious activities.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET UPDATES