Hackers have published almost 15 gigabytes' worth of password data, donation records, and source code taken during the recent hack of the Patreon funding website.
"The fact that source code exists ... is interesting [and] suggests much more than just a typical SQL injection attack and points to a broader compromise," he told Ars. Referring to the inclusion of a 13.7-gigabyte database, he added: "At the very least, it means mapping individuals with the Patreon campaigns they supported. There's more data. I'll look closer once the restore is complete."
He said unpacking such a large archive file, sorting through its contents, and loading various MySQL database files takes time. Hunt, who maintains the widely visited have i been pwned? website, said he expected to index affected e-mail addresses on the service as soon as possible. Update 1: Hunt has now been able to sift through the data and has found 2.3 million unique e-mail addresses, including his own.
Hunt isn't the only one to view the contents. Several people have posted screenshots of the purported Patreon data on social media sites, including the image included at the top of this post. If authentic, some of the contents were generated on Patreon servers as recently as September 24. As this Ars post was being prepared, a variety of Patreon subscribers, including this one, took to Twitter to say they found their e-mail addresses in the dump.
Patreon subscribers should make sure they have changed their compromised password, both on Patreon and on any other websites it may have been used. Patreon users should also be prepared for the very real possibility that anything they did on the donations site is now a permanent part of the Internet record.
Update 2: Hunt said the release appears to include the entire database taken in the hack, including a fair number of private messages sent and received by users. "Obviously all the campaigns, supporters and pledges are there too," he wrote in one tweet. "You can determine how much those using Patreon are making." In a separate tweet, he wrote: "The dollar figure for the Patreon campaigns isn't the issue, it's supporters identities, messages, etc. Everything private now public."