An application programming interface (API) error on the popular Kickstarter crowdfunding website exposed the plans and descriptions of more than 70,000 yet-to-be launched projects.
The API bug exposed project descriptions, goals, durations, rewards, videos, images, locations, categories, and usernames for unlaunched projects.
In a statement, Kickstarter said that no account or financial data of any kind was made accessible by the exposure.
It is unlikely that casual users came into contact with any of the unlaunched project data, the company claims, because of the way the API was indexed on the site.
“For those who are unfamiliar, an API is a software interface that allows software to communicate with one another,” reads the statement. “It’s not like a webpage that an internet user could point their browser to. It is a feed of data meant to be shared between software. The API in this instance is for Kickstarter’s internal use.”
The bug was initially introduced during a site upgrade on April 24. It remained live until it was discovered and fixed at 1:42 PM Friday, May 11.
The company apologized in their statement, calling the bug “completely unacceptable.”
The Wall Street Journal reported that Amazon Payments handles all of Kickstarters pledges and that the company never even sees user credit card or other billing information.
Kickstarter had to pull a video game start-up off the site earlier this month when it became clear that the project was a scam.