Crowdfunding site Kickstarter has revealed that hackers gained unauthorised access to customer data earlier this week.
Compromised details include usernames, email addresses, mailing addresses, phone numbers and password hashes.
Kickstarter users should change their passwords immediately.
A statement on kickstarter.com reads:
No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
Few details are available about the breach but we do know that the company was informed about the unauthorised access on 12 February 2014 and that users had to wait four more days to find out for themselves.
We don’t know enough to say if Kickstarter was in a position to tell customers about the data loss any earlier but it is, at the very least, regrettable that the attackers have gained four days head start.
It’s understandable that they would want to seal the breach and discover enough about what happened to provide accurate advice to their users but when the dust settles they will need to explain why an earlier, precautionary reset of users’ passwords wasn’t in order.
In an update to their earlier statement Kickstarter published some details of how the passwords were hashed:
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Users can draw some comfort from the fact that their passwords were hashed rather than encrypted, as Kickstarter indicated in its first statement (if you’re wondering why you should draw comfort from that read our article on how to store your users’ passwords safely).
Sensibly, Kickstarter is also urging users who use their kickstarter.com password on other websites to change their passwords on those sites too.
We agree – maintaining strong, unique passwords for each service and website that you use is so important it has a place on our list of 3 essential security tasks.
The reason that we recommend maintaining separate passwords for each website and service you use is because hackers will often try out plundered passwords on other websites (or sell the passwords to somebody who will).
The problem is so serious that after last years’ massive Adobe data breach we saw Facebook temporarily locking out users who shared passwords between Adobe and Facebook.
More recently hackers tried to gain access to Yahoo mail accounts using credentials that were “likely collected from a third-party database compromise”.
2 comments on “Kickstarter breached – change your passwords”
It would be nice to know if pledge history was compromised. Spear phishing with this information would become quite the issue.
Once again I’m happy to have a password-management system in place that uses a random password string for each different service/website I use. I haven’t replaced my legacy passwords on some of my oldest sites yet.. but this is another reason to encourage me.