Kickstarter Hacked on Wednesday, Recommends Changing Passwords
-
Category: News ArchiveHits: 1650
In case you have made an account on Kickstarter in the past, you'll probably want to read this important security notice they've published. The crowdfunding website's security was compromised on Wednesday night, granting the hackers access to information like usernames, addresses, e-mails, phone numbers and encrypted passwords. No credit card data was apparently accessed, which I suppose is the small victory here, but the Kickstarter staff still recommends changing your passwords:
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.
No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.
Here's a brief FAQ going into more details on what happened, and the reasons Kickstarter waited until today to announce the security breach:
How were passwords encrypted?
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?
Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?
No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.
This is as good a time as any to recommend our readers to use unique passwords for every website they're registered to. It won't stop stuff like this from happening, but at least it limits the damage that can be done.