Leaked Patreon data used to extort Bitcoins from affected users

I just received my first Bitcoin extortion email! —and I’m not impressed. Patreon is a crowd-funding website that has become popular among podcasters. As an avid podcast listener, I’ve got an account with the service and give monthly micro-donations to podcasters I enjoy. Today I received this extortion email sent to the email address I used with the service:

Unfortunately your data was leaked in the recent hacking of the Patreon website and I now have your information. I’ve your tax id, tax forms, SSN, DOB, Name, Address, Credit card details, and more sensitive data. Now, I can go ahead and leak your details online which would damage your credit score like hell and would create a lot of problems for you.

If you would like to prevent me from doing this then you need to send 1 bitcoin to the following BTC address.

Bitcoin Address:
1QAQTyhCzAfvp8uLpneBNamWTNRR1hx9Cp

You can buy bitcoins using online exchanges easily. The bitcoin address is unique to you. Sending bitcoin takes take, so you better get started right now, you’ve 48 hours in total.

I can totally see that people could get freaked out by this email. However, the emails are sent out in batches of three against an alphabetically sorted list of email addresses. The emails aren’t targeted and don’t contain any of the information that they threaten to leak other than the email address itself. The scam would have been much more effective if it was addressed to your name and had one of the pieces of more sensitive pieces of information attached.

Patreon did have a data breach back in October of this year. At the time, Patreon made this statement:

We don’t store full credit card numbers on our servers and no credit card numbers were compromised. Although accessed, all passwords, social security numbers, and tax form information remain safely encrypted with a 2048-bit RSA key. No specific action is required of our users.

Update (): Patreon has since removed the statement from their website some time in the middle of 2016. They didn’t care to comment on why they remove it instead of including a notice saying it was outdated.

I’m frankly surprised by how badly thought through this scam is. The information is already leaked and users who know about this data breach will already be aware of this. The email also fails to explain what on earth Bitcoins are, how you acquire them, and how you make payments with them. Anyone who would be gullible enough to fall for this mass-emailing scam would probably not possess the technical skills required to make the payment using the method required. It’s simply not beginner-friendly. If this attack was targeted at Bitcoin users from a breach of a Bitcoin-related website, it would probably do fine. But as it stands, they’ve just emailed a bunch of people a threat that doesn’t make any relatable sense to them other than the name Patreon.

The claims in the emails are all false. For example, the Bitcoin address isn’t unique. From looking at the headers we can see that the exact identical message was sent to three other recipients. From searching the web, you’ll find that others have also gotten the exact same Bitcoin address.

Never pay any attention to a Bitcoin extortion email. Maybe unless they’ve attached a photo from a webcam’s perspective inside your house and know the name of your cat and favorite cereal. Then you should be worried.