In late September, crowdfunding site Patreon was hacked, and large amounts of internal data was leaked online.
Opportunist scammers are now attempting to take advantage of this and blackmail users affected by the breach, according to TechCrunch.
Posting on Twitter over the weekend, cartoonist Steve Streza says that "everyone whose data got leaked when [Patreon] got hacked is getting extortion emails for bitcoin this morning."
The email Streza received from the would-be blackmailer claims that they "have your tax id [sic], tax forms, SSN, DOB, Name, Address, Credit card details and more sensitive data." The extorter then threatens to leak this data online unless the victim sends them a bitcoin ransom.
Bitcoin--a kind of digital currency--is a popular choice for cybercrime because it is anonymous, with no easy way to link a bitcoin "wallet" with its owner's true identity.
Patreon CEO Jack Conte urges customers to ignore the extortion attempt, claiming the scammer is lying about the kind of data they have. "I learned yesterday evening that some Patreon users have been receiving a scam email," he said in a statement. "The sender claims to have the recipient’s SSN, credit card number and other personal information. I want to assure everyone that the claims in this email are false, and we are already working with federal law enforcement.
"Do not reply to the email--it is a scam. The tax forms we store are securely encrypted with RSA 2048-bit encryption, and we do not store full credit card numbers. If you receive this email I suggest you flag it as spam and ignore any further emails. Do not reply."
Additionally, TechCrunch's John Biggs--a Patreon user himself--says he received the email. The bitcoin address that the scammer asks for ransoms to be paid for is apparently not unique (despite what the email claims), and has been sent almost nothing. As of press time, it had received just 0.0001312 bitcoin--around $0.04, or £0.03.
After Patreon was hacked the data was leaked publicly online and subsequently verified by Troy Hunt, a security researcher who specializes in data breaches. As such, even if a user paid a ransom, there would be no guarantee that another, unconnected scammer didn't try to extort them again at a later data.
So who's behind this (failing) extortion attempt? According to CSO Online, it's the same people who attempted to extort the victims of the Ashley Madison hack. After the extra-marital affairs dating website was hacked earlier this year, customers received blackmail demands threatening to out them unless they paid a bitcoin bounty.
CSO Online says a group calling themselves DD4BC was responsible for the Ashley Madison extortion emails, and that the same group is at it again now.