Patreon users – post-hack don’t let extortionists scare you into paying a ransom

Graham Cluley
Graham Cluley
@[email protected]

PatreonNearly every day I receive emails from people not just unfortunate enough to have had their personal contact details leaked as a result of the Ashley Madison hack, but that have also received blackmail emails from hackers threatening to expose their details.

I can sum up my advice as this: don’t pay. There is no guarantee that paying a ransom will result in anything other than your bank account being depleted, and the probability of hackers contacting your friends, business associates and family to tell them about your apparent membership of the site seems remote.

I do believe, however, that online extortion is a growing internet threat – and that we are likely to see more and more attempts by blackmailers to scare DDoS-attacked websites into paying up, and businesses and individuals pressured to give in to criminals’ demands or face the possible consequences of a public data leak.

Sure enough, reports are now emerging that customers of Patreon – which had 2.3 million users’ email addresses and other user data stolen last month – are receiving blackmail threats.

Sign up to our free newsletter.
Security news, advice, and tips.

Here’s an example of just such a ransom demand, posted by Twitter user @SirCrest:

Patreon extortion email

Part of the email reads as follows:

Unfortunately your data was leaked in the recent hacking of the Patreon web site and I now have your information. I have your tax id, tax forms, SSN, DOB, Name, Address, Credit card details and more sensitive data. Now, I can go ahead and leak your details online which would damage your credit score like hell and would create a lot of problems for you.

If you would like to prevent me from doing this then you need to send 1 bitcoin to the following BTC address.

However, it appears that the blackmail email isn’t being completely honest. (I know! Who would have thought it!?)

In a post on Patreon’s website back in October, CEO and co-founder Jack Conte explained the extent of the data loss:

There was unauthorized access to registered names, email addresses, posts, and some shipping addresses. Additionally, some billing addresses that were added prior to 2014 were also accessed. We do not store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users

This week Conte has been busy reassuring users that any scam emails they have received attempting to blackmail them are inaccurate.

Patreon scam discussion

Clearly Patreon boobed badly, uploading its customer data to a test server that was not properly secured. But it doesn’t appear that hackers have managed to grab gold of users’ credit card numbers.

The blackmail emails are a scam. Once again, don’t pay them a penny. Hit the delete button instead.

You can read more about the Patreon blackmail campaign on Troy Hunt’s blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

One comment on “Patreon users – post-hack don’t let extortionists scare you into paying a ransom”

  1. furriephillips

    Come on Graham,

    Before deleting, report the abuse to the sender's ISP via SpamCop ( and help to reduce the number of systems unwittingly (or otherwise) complicit in these nefarious activities.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.