Let's Talk About That Patreon Hack

Hey Patrons, I feel I am honor-bound to talk about the Patreon hack with y'all and whether or not backing my campaign has put you at risk. Some of y'all may want to make some informed decisions about your relationship to Patreon in light of it, but I'll preface this by saying: I think you are probably safe.

The short version: on September 28th, Patreon's entire database was hacked. This was due to a debug version of the site being visible to the public and some guy taking note of it, downloading the entirety of the site's source code and data, and throwing it at GamerGate "for the lulz." GamerGate is insisting that this guy is not really a gater (as they always do) but is, nevertheless, scouring the data on 8chan looking for information on the people they don't like. I know of at least one prominent critic of GamerGate whose patrons are now getting doxxed as a result of the hack.

So let's say this up front: at this point, the damage has been done. If you were on Patreon before the 28th, your information is possibly compromised, and canceling any of your pledges or leaving the platform won't change that. Patreon doesn't keep complete credit card info in the database and all passwords are heavily encrypted, so the most sensitive information is safe. Just in case they find a way to decrypt the passwords, though, you should absolutely change your Patreon password and, if you use the same password on any other sites, change those as well. (Myself, I use LastPass to keep my passwords unique and hard to crack.)

What information is compromised is less sensitive but can be misused in the wrong hands. If you use an alias on Patreon, or if you donate anonymously, they can reveal your full name, and if they don't like that you're backing me (or anyone else you're backing) they can use that to go after you. None of my rewards have asked for your shipping addresses, but if you've sent them to other campaigns, that info might get out. For many, the big worry is private messages, so think hard on what you may have said on this site and whether it could be spun to your disadvantage.

The hack was announced on September 30th, which was (la di fucking da) precisely the same day I officially announced the campaign! Beautiful timing, I must say. This means if you created your account after the 28th, they've got nothing on you, and if you backed my campaign after the 28th, they at least won't connect you to me. That's about half of you in the clear, at least. If you backed during the soft-launch phase before the 28th, well, here are a couple questions to ask yourselves.

Am I safe backing Innuendo Studios?

Probably. I can't make promises. The leak is 14 gigabytes so they have to be pretty dedicated to find any individual person's info. I never know for sure where I am on GamerGate's shit list. I've certainly pissed some of them off, and every once in a while they flirt with the idea of going after me, but, being nakedly honest with you, I'm a straight, white, cisgendered man, and by and large they don't go after people like me without a lot more provocation. They've gone after folks like Jon McIntosh and Dan Olson, but only for being closely connected to feminist women they hate. I'd be honored to be that connected, but, at the moment, I'm not. Sargon of Akkad recently did a 3 1/2 hour livestream about how comically worthless I am, though, so it sometimes seems like all they need is a little push to say, "eh, why not Ian Danskin this time?" But, so far, that hasn't happened.

Am I safe on Patreon?

Again, probably. Info security types have looked at the leak and determined that it was a pretty dipshit maneuver on Patreon's part leaving a debug version of their site public. It's an incredibly easy hack, but, fortunately, it's also incredibly easy to fix, which they've done. It's also revealed some info that should probably have been encrypted beyond just passwords. Patreon won't be allowing specifically this type of hack in the future, and I would at least hope they will be encrypting more of their information. Whether or not you feel safe staying on the platform depends on how much you trust them. The fact is, hacks of major sites happen from time to time, and it's a risk we take being on any major site. The people behind Patreon are mostly straight white cismen like me and thus may not fully understand the threat of harassment, which is a problem many other platforms face. They are almost certainly aware that having security weaknesses is bad for business, though. This isn't how it should be, but, for now, being on the internet means the onus is on us to be careful about the info we share with sites and to keep our passwords strong.

Now, in my videos on crowdfunding I stressed the importance of being real with your audience. Being real about worries and concerns always runs the risk of seeming like emotional manipulation, especially in text where tone is hard to read. So I will do my best to tell you my thoughts without telling you what your own should be.

If anyone feels unsafe staying with Patreon, for fear of being associated with me in a possible future hack: I understand. I don't think that's likely, but the risk exists and you'll have to assess it for yourself. I won't blame you for whatever choice you make. If there is a mass exodus from my patrons over this, well... that might sink Innuendo Studios. There's been an outpouring of support for some of the people who've been threatened by the hack - Randi Harper noted that her info had been found by GamerGate and told her patrons she understands if they want to leave, and was instead greeted with a massive increase in backers and pledges, which I think is really beautiful. I'm not nearly as high-profile as Randi Harper. In one way, that makes me less of a target, but it also makes me unlikely to get an outpouring of support. If I lose a lot of patrons, it might take months and months to get them back. And my ability to gain patrons depends on putting out new videos, and how often I can put out videos depends on how many patrons I have, etc. etc. etc. It can become a spiral.

All that said: it is not worth it to me to keep you if it puts you at risk. Assess that risk for yourself and do what is right for you.

In other news: new video this week.