Kickstarter hacked, user info stolen

In an email to its members today, popular crowdfunding platform Kickstarter announced that it had been hacked, and that thieves had made off with personal information and other user data.

According to a blog post on their website, Kickstarter was informed by law enforcement that hackers had breached security and taken user data - which included usernames, email addresses, phone numbers, mailing addresses and passwords. Kickstarter closed the security breach, but warned that while info such as passwords were encrypted, hackers may be able to crack the encryption with 'enough computing power'. From the blog post:

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

Kickstarter apologized for the breach, saying that they would take steps to improve their security in the future. They also recommended that Kickstarter users change the password for their account and any other accounts which share the same password. 

On the bright side, however, the site informed users that their credit card data had not been stolen - something which many may have been worried about, considering the recent high-profile breaches of Target and other retailers in which 110 million credit cards were compromised.

According to a tweet from Kickstarter, their older passwords are encrypted in SHA-1, while newer passwords use bcrypt. While both methods of encryption are breachable, the addition of an encryption algorithm makes data much more safe than data which is unencrypted - which may allow users to rest more comfortably.

Source: CNet via reddit | Image via FourHourWorkWeek.com

Report a problem with article
Previous Story

'Titanfall' beta opening for all Xbox One users tonight

Next Story

Skirt made of 35 Lumia 1520 smartphones shown off during London Fashion Week

19 Comments

The article doesn't make sense in some parts...
It says passwords were encrypted two different ways - so which was it?
It also says other information was stolen - how? There's nowhere I can enter a mailing address, phone number OR credit card info into my Kickstarter settings. This is usually handled by Amazon Payments.

Raa said,

It also says other information was stolen - how? There's nowhere I can enter a mailing address, phone number OR credit card info into my Kickstarter settings. This is usually handled by Amazon Payments.
You enter this information when you actually decide to back a project. I just logged in and checked what account information was there, and it included a credit card. When I removed it, the tab in the settings where it was at disappeared. And they said that credit card info wasn't accessed. But the mailing address is also entered when you back a project... That's how they ship you the goodies lol.

They are. Bcrypt is a key derivation function, quite good, too. KDFs happen to tick all the boxes of a one way compression function proper.

It's just press and PR not caring of the difference. Note how the original tweet doesn't even mention "encryption algorithm", only "encryption" as such, so PR guys might be excused, actually.

What I'm wondering is, why did it take law enforcement officials having to contact Kickstarter before they came to know of their system being breached?

Romero said,
What I'm wondering is, why did it take law enforcement officials having to contact Kickstarter before they came to know of their system being breached?

This bit raised my eyebrows a tad as well, it`s like maybe they didn`t have a clue and the details were offered somewhere which a law enforcement group has operatives so they informed them! Or something else, i think you know what

Romero said,
What I'm wondering is, why did it take law enforcement officials having to contact Kickstarter before they came to know of their system being breached?

Law enforcement can identify these things pretty quickly, so I'm giving Kickstarter a pass here. I've had an experience where we identified an ATTEMPTED breach, fixed the hole within minutes of the attempt, and the FBI contacted us a couple hours later saying that they saw the attack and wanted to know if they could help us in any way (and they wanted logs to help with their own case...). I was skeptical that it was even the FBI, but it was. Kinda weird...

Fezmid said,
I was skeptical that it was even the FBI, but it was. Kinda weird...
Weird? Not at all! Naturally they were informed by the NSA which was interested in who was following in their footsteps.

Enron said,
They should start a Kickstarter to get their stolen passwords back.

LOL a recursive kickstarter project to secure kickstarter

I have a problem with this article. Neither SHA-1 or bcrypt is actually encryption.

Why isn't the difference explained in this article? More importantly why did the author of Kickstarter blog entry make this mistake?

Commenting is disabled on this article.