I can sum up my advice as this: don’t pay. There is no guarantee that paying a ransom will result in anything other than your bank account being depleted, and the probability of hackers contacting your friends, business associates and family to tell them about your apparent membership of the site seems remote.
I do believe, however, that online extortion is a growing internet threat – and that we are likely to see more and more attempts by blackmailers to scare DDoS-attacked websites into paying up, and businesses and individuals pressured to give in to criminals’ demands or face the possible consequences of a public data leak.
Sure enough, reports are now emerging that customers of Patreon – which had 2.3 million users’ email addresses and other user data stolen last month – are receiving blackmail threats.
Here’s an example of just such a ransom demand, posted by Twitter user @SirCrest:
Part of the email reads as follows:
Unfortunately your data was leaked in the recent hacking of the Patreon web site and I now have your information. I have your tax id, tax forms, SSN, DOB, Name, Address, Credit card details and more sensitive data. Now, I can go ahead and leak your details online which would damage your credit score like hell and would create a lot of problems for you.
If you would like to prevent me from doing this then you need to send 1 bitcoin to the following BTC address.
However, it appears that the blackmail email isn’t being completely honest. (I know! Who would have thought it!?)
In a post on Patreon’s website back in October, CEO and co-founder Jack Conte explained the extent of the data loss:
There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users
This week Conte has been busy reassuring users that any scam emails they have received attempting to blackmail them are inaccurate.
Clearly Patreon boobed badly, uploading its customer data to a test server that was not properly secured. But it doesn’t appear that hackers have managed to grab gold of users’ credit card numbers.
The blackmail emails are a scam. Once again, don’t pay them a penny. Hit the delete button instead.
You can read more about the Patreon blackmail campaign on Troy Hunt’s blog.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.