Kickstarter

On February 11, 2014, Kickstarter was notified by law enforcement that a security breach to their network had occurred and that unauthorized access to some of their customer’s information had been discovered. Kickstarter, a company that started out in 2009, is a small scale capital procurement site for people seeking funding for various types of projects or business ventures. The common name for Kickstarter and like companies is a crowdfunding website. The fundraising platform assists individuals seeking to raise funds for projects such as; films, stage productions, video games, restaurants and others and those looking to fund them in exchange for discounts, rewards, credits or other monetary offers from the ventures they help to fund. To date Kickstarter has helped fund more than 100,000 projects, receiving hundreds of millions of dollars in pledges.

Once alerted by law enforcement, Kickstarter took immediate action to eradicate the security breach and enhance its security protocols throughout their networks. The company stated,

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

Despite the fact that no credit or debit card information was accessed during the breach, there was other highly sensitive customer data exposed, such as: names, user names, encrypted/salted/hashed passwords, email addresses, street addresses, and phone numbers.

Having access to information of that nature can present real dangers for breached customers, because that information can be used for phishing scams, which are used to get more sensitive information from the recipient or to direct them to malicious links that could infect their computers and give hackers access to their accounts.

On February 15, 2014 Kickstarter announced on its website that the company had been breached and advised its users of the following:

Important Kickstarter Security Notice

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password.

To change your password, log in to your Kickstarter account and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.

We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.

Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at accountsecurity@kickstarter.com.

Thank you,

Yancey Strickler
Kickstarter CEO

Updated at 5:45pm with some common questions and answers:

How were passwords encrypted?

Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.

Does Kickstarter store credit card data?

Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.

If Kickstarter was notified Wednesday night, why were people notified on Saturday?

We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.

Will Kickstarter work with the two people whose accounts were compromised?

Yes. We have reached out to them and have secured their accounts.

I use Facebook to log in to Kickstarter. Is my login compromised?

No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.

Updated Sunday, February 16, at 7pm:

Over the past 24 hours, the Kickstarter team has responded to more than 5,000 inquiries about yesterday’s news. We’re still standing by to help. If you have questions, comments, or concerns, feel free to contact us at accountsecurity@kickstarter.com.

 

Additional Resources About This Breach:

https://www.kickstarter.com/blog/important-kickstarter-security-notice

http://www.cnet.com/news/kickstarter-hacked-user-data-stolen/

https://nakedsecurity.sophos.com/2014/02/16/kickstarter-breached-change-your-passwords/

http://www.thewrap.com/kickstarter-reveals-security-breach-ceo-apologizes-profusely/

http://blog.credit.com/2014/02/kickstarter-target-data-breaches-different-76525/

Have You Been Hacked?

*Cyber breach data provided by Have I Been Pwned

Enter your email or username to see if your information was compromised.

Have You Been Hacked?