Kickstarter suffered a data breach and some information ended up compromised.
The company simultaneously published a blog post and sent out email alerts detailing the scope and possible consequences of the compromise, as well as their actions in its wake. Kickstarter is a crowdfunding platform where it helps bring creative projects to life. Since its launch, more than 5 million people funded more than 50,000 creative projects.
“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data,” said Kickstarter Chief Executive Yancey Strickler in a blog post. “Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.”
“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” he said.
But the attackers did get the following user information: Usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.
“Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt,” Strickler said. “It is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.”
Users who logged into Kickstarted with their Facebook login credentials are OK in that their login credentials did not suffer compromise. But they will have to reconnect the next time they access the site as Kickstarter reset all Facebook login credentials as a precaution.
The company has recommended users to create a new password, and to change it on other accounts for which they use the old one.
Strickler didn’t share any details on how the attackers beat the system.