Crowdfunding site Kickstarter has been hacked, and the personal data of an unknown number of customers stolen. However, payment card data remained untouched, according to a Feb. 15 blog posting by Chief Executive Yancey Strickler.
Stolen information included usernames, email addresses, street addresses, phone numbers and encrypted passwords. “Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler warned, recommending that customers change their Kickstarter passwords immediately, as well as the passwords of any accounts using the same password as at Kickstarter.
The attacks appear to have compromised only two customer accounts, both of which were frozen and the owners notified at the onset of the investigation. The company is working with law enforcement agencies to investigate the attack, and has upgraded its security, according to Strickler, who didn’t offer much detail on those upgrades.
Authorities notified Kickstarter of the breach on Feb. 12, but the company didn’t notify customers until Feb. 15 because it wanted to close off the hole in its security. Kickstarter stores “older” passwords as uniquely salted and digested SHA-1 hashes; more recent passwords are hashed with bcrypt; the company doesn’t store full credit card numbers, but does keep the last four digits of a card number and expiration date for pledges from outside the U.S. Kickstarter also reset all Facebook login credentials to prevent any stolen Kickstarter data from being used for bogus logins to Facebook.
Kickstarter was launched in 2009 as a way to arrange funding for nearly any kind of project, by allowing millions of ordinary people to contribute small amounts. It quickly became an alternative to obtaining funding through banks, venture capital firms or other traditional means. More than 100,000 projects have been funded in the past five years, from films and video games to restaurant launches and software.
Popular current projects include Blackmore, a steampunk video game, a car-tire air-valve cap warns when tire pressure is low, a WiFi dongle to create connections to car OBD networks, and Dash, a pair of wireless in-ear headphones that combine the functions of an MP3 player, heart-rate monitor, fitness tracker and sports watch.
“We’re incredibly sorry that this happened,” Strickler wrote.” We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. ”
The company also set up a special email address at firstname.lastname@example.org that customers can use to contact it with questions or concerns.