The Kickstarter company has issued a warning to its backers over the weekend, stating that hackers had gained unauthoriszed access to some of the company’s customer data, and the the company strongly recommends that you reset your Kickstarter password and other accounts associated with that password.
The hack originally occurred last Wednesday night, and Kickstarter was alerted to this security breach by law enforcement officials. Kickstarter immediately closed the breach and started strengthening its security system.
Thankfully, despite this being a serious issue, Kickstarter assures that no credit card data of any kind was accessed by the hackers. However, even though there isn’t evidence of unauthorized account activity on the majority of user accounts, there were two Kickstarter accounts that did unfortunately have unauthorized account activity.
While no credit data wasn’t accessed, some information on customer details was, such as usernames, email addresses, mailing addresses, phone numbers and encrypted passwords. Actual passwords weren’t revealed, but it is possible that said passwords could be cracked if they were particularly weak. As a precaution against this, Kickstarter has “strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password.”
Kickstarter deeply apologizes that this incident took place, and the company has since improved upon its security systems in a number of ways, and it will continue to do so in the weeks to come. Kickstarter has also issued out an FAQ and a few updates on this issue since the incident, which can be found on the company’s official post on the matter here. The FAQ is listed below.
How were passwords encrypted?
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?
Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?
No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.
If you are being affected by this issue, or are worried about your Kickstarter account, Kickstarter encourages you to seek them out and inquire if you have any questions or concerns at firstname.lastname@example.org.