Hackers stole customer data from Kickstarter's database
Kickstarter's rising popularity has apparently made it a target for hackers, some of which recently weaseled their way into the crowdfunding site's database and made off with some sensitive information. Some usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords were compromised in the data breach, though Kickstarter says no credit card data was accessed.
Kickstarter also said that while actual passwords were not revealed, it would be possible for a malicious person with enough computing power to guess and crack an encrypted password, especially if it's a weak or obvious one. In an updated statement, Kickstarter acknowledged that older passwords were uniquely salted and digested with SHA-1 multiple times, while more recent passwords are hashed with bcrypt.
"We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting," Kickstarter stated in a blog post. "We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again."
Kickstarter has taken some heat for waiting until Saturday to alert people of the breach even though it was notified by law enforcement officials on Wednesday night. "We immediately closed the breach and notified everyone as soon as we had thoroughly investigated the situation," Kickstarter explained.
Regardless, the damage is done and Kickstarter is advising its users to change their passwords, both for their Kickstarter accounts and anywhere else where they might use the same one.