Patreon log-in from unrecognized device

Hello. I’m not super tech savvy. My e-mail inbox shows something like 20 Patreon log-in attempts over a 2 min period yesterday from different IP addresses. I don’t remember trying to log in to my Patreon account at all. I assume this is very suspicious for someone trying to hack my account?

Your user/password combo is/was out in the ether, and some organized effort is trying to get a hit. I’d recommend using a password manager ( I use Bitwarden) to manage and update your passwords monthly, especially ones that involve finances. You just need to remember one super password, and never know any other passwords, since Bitwarden does that for you. I prefer Bitwarden due to open source, code can be pentested, and it can be accessed via app or online at any time. Data breaches are here to stay, so be proactive to prevent being victimized.

1 Like

What Alpha suggested. I’d suggest immediately changing critical passwords, especially anything that shared passwords with Pateron. We all use emails and sometimes get too lazy and share passwords, with a single breached password and common email you could end up having other stuff accessed as well.

1 Like

I’ve been reading about them for yrs and have resisted. But prob a good idea to finally make the move.

I don’t even remember my own Patreon credentials (well, I obviously know which e-mail address now)! But, for non critical stuff, I usually use distinct passwords for all, thankfully. But def will be changing them right now.

Ugh, hate this kind of stuff. Thanks for the tip, y’all.

Yep…like most things I think ‘why would I need it, why bother?’ which gives way to ‘wow, why’d I wait so long, shoulda done it years ago’. A bit fidly at first, and you give your trust that you will never actually know any of your passwords (they’re simply too complicated, by design), so will need to know how to retrieve them under any circumstances, but it is invaluable once invested. Try with only a few passwords first to get a feel, then go whole hog.

1 Like

You can be your own password manager. Let me introduce a concept of creating very strong passwords that are unique to each of your websites, but easy for you to remember, as you always hold the key in your head. I’ve read about it somewhere couple years back, and has been using this for my passwords since then, with only a handful exceptions where there is a limit on password’s length or number of special characters:

  1. Make up a 8-10 character base phrase that has some meaning to you, so you easily remember it. Something random or silly, but meaningful to you only. This will be base for all your unique passwords. I love my Audi, so for example let it be SmoothQ3. Make sure there is mix of upper/lower case and numbers.
  2. Add couple of special characters to the mix. SmoothQ3^!
  3. Now, for final part, 4 characters specific to web site you’re creating password for. Could be part of the name, URL, anything that ties it in your head to this specific website.
  • For Chase bank, Chas . SmoothQ3^!Chas - Time to crack your password: 10 years
  • For Reddit, SmoothQ3^!Redd - Time to crack your password: 21 years
  • Leashackr - SmoothQ3^!Hack (28 years to crack) or SmoothQ3^!Leas (315 years to bruteforce)

The longer the password - the better. You can even mix special characters depending on usage, like for important sites you use ^!, for not so important - ^? etc.

This worked for me very well.

And no, my LH password isn’t SmoothQ3^!Leas :stuck_out_tongue_winking_eye: :stuck_out_tongue_winking_eye:


Ooh, this is an interesting idea!

My current system is a simpler version of this. My version doesn’t work so well b/c I can’t remember the variations I have on my “base” passwords (and then have to use the “Forgot Password” function for non-critical credentials and then get annoyed when the website won’t let me choose a previous password!).

So far (knock wood) I’ve never lost-lost a managed password. But I have several times been told my saved password doesn’t match, reset it (to the same password) and had it work. If they’re spoiled, it usually their fault and not yours.

This will show up very easily in a password dump, which Mastercard Identity Manager just warned me today I was found in one on the “dark web”. Pretty easy to match up two lists and find the pattern.

Patreon has been hacked multiple times, I stopped donating to artists through them. I’ve tried to get some to let me donate directly, but everyone loves Jack Conte too much to transact off-platform.


Yes, admittedly this is less secure in case of plain-text password leaks than completely unique passwords for each site. Although with 2-step authentication being used more and more everywhere, risk is somewhat mitigated.

Still miles better than alternatives IMO. I’m not trusting software to store my passwords, I’m sorry. I’m in the field, I’ve seen things.

1 Like

I recall a discussion similar to this not too long ago (posted by @jeisensc). I planned to switch to a password manager but never got around to it. So instead, I use a hardware authentication device and the method @RustyDaemon suggests, but I need to try it out as @alphawave7 recommended.

1 Like

Same but very infrequent, and I think it has to do with a failed auto-fill or copypasta…next time it fails, just open your manager and manually copypasta and I bet it works. Usually I decide it’s time to roll a new one anyway.

I’ve got issues with this…especially related to OTP’s sent to cell phones. All cell phone providers are suffering stolen SIMs where hacker now has ability to reset your passwords en masse. Reddit cellular co’s are full of horror stories. I mentioned to John in an earlier thread I use a prepaid phone (TMobile, $3/mo) soley for banks that refuse to give up sending OTP to a cell phones as 2 factor. Only thing that phone is used for, and the number doesn’t exist in any of my emails, should they get hacked.


Nope :expressionless::expressionless::expressionless:

Did you unplug it, then plug it back in? lol Which manager do you use?

I used a similar system but this was a good description. The only setback for this method is if the website asks you to change passwords every quarter, 6 months, or year, then I start to lose track and password managers come in handy for those websites.

It’s ADB to SCSI-II to AppleTalk so I’m careful about the unplugging/re-plugging.

What I’m talking about is neither password truncation nor JS that prevents pasting it, I have run into sites where my saved password works many times, then just doesn’t. Once or twice it turned out to be a breach (everyone had to change their password, but not yet announced/customer service didn’t even know). But more often than not for me, if a saved/good password suddenly stops working, and my account isn’t otherwise locked, using the reset password flow with the same password has fixed it. Happened with UPS last week, happened with a big bank in July and I was on the phone with them while I reset it, they could see I logged-in previously and had not changed my password.

It shouldn’t ever happen, but it is happening more frequently.


my password is: Password1!

Nobody get’s random venmo notifications that someone is trying to login ?

Ah…understood. I don’t recall that happening to me yet, so I’ll be on the lookout.

No and you should probably secure it…