Thursday 15 October 2015

Another week, another data leak [Link - MTI Bytes]

Another piece I wrote for the work blog:

San Francisco-based crowdfunding platform, Patreon, is the latest casualty in a series of recent data breaches. The incident has seen hackers download and leak a 15GB user database containing names, addresses, email addresses and donation information. So far, the hack has exposed 2.3 million users and their personal data, with the exception of credit card details, passwords, social security numbers and tax information.

In response to the hack, Patreon Founder Jack Conte wrote:

“There was unauthorised access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key.”

The question arises: how can you protect certain data?

Importance of encryption

Due to Patreon safely encrypting the information using a 2048-bit RSA key, hackers have been unable to access or leak users’ passwords, social security numbers and tax information.

In other words, Patreon protect key information via a multi-level password scheme called ‘bcrypt’.  The key benefit of ‘bcrypt’ is that it is irreversible, which means it cannot be “decrypted”. In Patreon’s case, the failure of the company to store plaintext passwords explains why the hackers could access only certain types of information.

As a result of Patreon using ‘bcyrpt’, an added layer of security protects the information, enabling passwords and credit card details to remain safe despite the hack. This additional security minimises the damage of the hack by securely protecting the most valuable information – the credit card details of millions of users.

Protect the test environment

The belief is that a publicly available debug version of the Patreon website led to the Patreon hack. Essentially, some of the site remained open, as part of a test environment, rather than behind a firewall.

Patreon’s data compromise highlights that test environments exposed to the Internet are just as important as their live counterparts. Security therefore needs to be tight, even on test sites. Web application firewalls and Data Loss Protection (DLP) solutions can help prevent data from leaving the site, ensuring that it is kept secure and is often the first line of defense for any company.

While the Patreon hack is undeniably a terrible breach of security, the company’s use of ‘bcrypt’ is helping to contain the damage, and highlights to other businesses the importance of good security practice.

No comments:

Post a Comment