In a blog post dated February 16, Kickstarter notified of a security breach whereby hackers hit the crowd-funding site and gained unauthorized access to user information. Company claimed to have been notified on Wednesday night by authorities of the hacking attempt.
Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.
Credit card information is deemed safe.However, company has advised users to change their passwords and if possible to use a password management tool.
Company has apologized to its users and has assured that security breach is now closed.
In the blog post titled Important Kickstarter Security Notice company said, “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.” It also briefly mentions the steps taken to secure the system, “We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.”
Here are some questions company answered in an update:
How were passwords encrypted?
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?
Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?
No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.
Kickstarter got a lot of things right here, salting and hashing passwords, not storing credit card information, owning up to the hacking attempt, communicating to users about the breach and steps to take. You can read more about it here.
Please, let us know in comments your views on this post as well as any suggestions.