Popular crowdfunding website Kickstarter alerted customers on Saturday to a security breach of the site’s servers. While there is no indication that the hackers obtained credit card information, the site revealed that some user data was indeed stolen, including usernames, email addresses, physical mailing addresses, phone numbers, and encrypted passwords.
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.
Although the passwords obtained by the hackers were encrypted, it is still possible that the list could be decrypted and accessed by hackers with enough time and computing power. Short, simple passwords are particularly vulnerable to these so-called “brute force” attacks. Kickstarter therefore recommends that users immediately change their passwords on the site as well as on any other website where the same password is used.
In addition to its email to customers, Kickstarter published a blog post detailing the breach and provides a brief FAQ, quoted below:
How were passwords encrypted?
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?
Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?
No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.
Customers will concerns not addressed by the blog post can contact Kickstarter at accountsecurity@kickstarter.com.
