If you ever supported a Kickstarter project, you know by now that the popular crowdfunding platform has experience a data breach and that some of your information was compromised.
The company simultaneously published a blog post and sent out email alerts detailing the scope and possible consequences of the compromise, as well as their actions in its wake.
They were made aware of the breach on Wednesday, February 12, by law enforcement officials.
“Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system,” disclosed Kickstarter CEO Yancey Strickler.
“No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” he made sure to note.
But the following user information was accessed: usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.
“Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt,” Strickler shared, and allowed that “it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.”
Users who loged into Kickstarted with their Facebook login credentials can rest assured that their login credentials weren’t compromised, but will have to reconnect the next time they access the site as Kickstarter has reset all Facebook login credentials as a precaution.
The company has recommended users to create a new password, and to change it on other accounts for which they use the old one.
“Kickstarter has done the right things following the breach, notifying users and advising them to reset passwords via its website. It’s wise to do this even though Kickstarter stored its passwords in encrypted form,” commented Keith Bird, UK managing director of Check Point.
“But users should be very cautious about clicking on links in any follow-up emails that they receive that appear to come from Kickstarter or related organisations, no matter how plausible the emails appear to be. There’s a real risk that the details stolen in the hack may be used in phishing attacks, to try and harvest more personal data.”
Strickler didn’t share any details on how the attackers managed to swing the attack.