Attackers broke into the network of Kickstarter, the crowdfunding platform, and stole a variety of user data, including usernames, addresses, email addresses and encrypted passwords. Company officials didn’t specify exactly how many users were affected and said that “no credit card data of any kind was accessed by hackers.”
Kickstarter is a popular platform for raising funds for a variety of projects. Supporters pledge various amounts of money in return for certain levels of rewards from the creators of a project. Supporters enter their credit card information when creating an account, and their cards are charged once a specific project they have supported reaches its funding goal. Creators of projects such as Web comics, TV shows, robotic bartenders and books all seek funding on the site.
Officials at Kickstarter said that they were alerted to the intrusion by law-enforcement officials on Wednesday night. This is a common method of detection for data breaches. The Verizon Data Breach Investigation Report, a deep study of breaches at a variety of organizations, shows that 70 percent of breaches are discovered by third parties such as forensics teams, law-enforcement agencies and other security teams. Kickstarter officials were alerted to the compromise earlier this week and published details on the company blog Saturday.
“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system,” Yancey Strickler, CEO of Kickstarter, wrote.
So far, only two customers’ accounts have shown evidence of unauthorized activity. Strickler said that user passwords were encrypted. Older passwords were encrypted using the SHA-1 algorithm, and salted. Newer passwords were encrypted with Bcrypt. SHA-1 is an older hashing algorithm that has long been considered weak, and security experts have been warning organizations away from using it for several years. Bcrypt is a hashing function based on the Blowfish algorithm.
Kickstarter joins a long list of major Web companies that have faced data breaches in recent months, including Snapchat, Evernote, Dropbox and Yahoo. Attackers love to target companies with large user databases, knowing that users are lazy and will often reuse passwords on multiple sites. Attackers grabbing a password database at one company can sometimes lead to cascading problems for users at other sites.
Strickler said in his statement that users should change their passwords immediately.
“We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again,” he said.