By the time global crowdfunding site Kickstarter had found out from “law enforcement officials” that “hackers had sought and gained unauthorised access” to customers’ data, it was too late.
Its CEO Yancey Strickler wrote in an email sent out yesterday to users that the security breach has been resolved and that no credit card data was accessed by hackers. However, on the company’s blog page, it was stated that there was evidence of unauthorised activity on two Kickstarter user accounts.
While users’ passwords were not revealed, Strickler explained that a scenario where hackers obtain access to the password through cracking is not too far-fledged. In such a case, it is advisable that Kickstarter users should change their passwords immediately to prevent unauthorised transactions.
He also posted an update to the situation on the blog, which shed light on how passwords are encrypted, and motivation behind waiting two to three days to inform users.
How were passwords encrypted?
Older passwords used to be uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Strickler noted, “We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”
The original email reads:
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.
No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
As a precaution, we have reset your Facebook login credentials to secure your account. No further action is necessary on your part.
We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.
Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at firstname.lastname@example.org.