Kickstarter notifies users of data breach after four days

Data breach

Kickstarter notifies users of data breach after four days

Warwick Ashford

Online crowdfunding website Kickstarter has admitted that attackers have breached its computer systems and gained access to user data.

In a blog post at the weekend, Kickstarter chief executive Yancey Strickler said the breach had been repaired and security improved after law enforcement officials had raised the alarm on Wednesday.


He explained the delay in notifying users by saying the organisation had notified everyone as soon as it had investigated the situation thoroughly, but did not comment on why Kickstarter’s own systems did not raise alerts about the breach.

The attackers were able to access some usernames, email addresses, phone numbers and encrypted passwords, but "no credit card data of any kind was accessed", wrote Strickler.

He said there was no evidence of unauthorised activity of any kind on all but two Kickstarter user accounts.

While no actual passwords were revealed, Strickler warned that attackers with enough resources would be able to guess or crack an encrypted password, particularly a weak or obvious one.

“As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password,” he said.

Strickler described the incident as “frustrating and upsetting” and said Kickstarter had improved security procedures and systems in numerous ways, and would continue to do so.

“We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again,” he said.

Keith Bird, UK managing director of security firm Check Point, praised Kickstarter for notifying users and advising them to reset passwords via its website. 

“It is wise to do this even though Kickstarter stored its passwords in encrypted form,” he said.

According to Kickstarter, older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.

As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password

Yancey Strickler, Kickstarter

Bird said users should be very cautious about clicking on links in any follow-up emails they receive that appear to come from Kickstarter or related organisations, no matter how plausible the emails appear to be. 

“There’s a real risk that the details stolen in the hack may be used in phishing attacks to try to harvest more personal data,” he said.

Since it was set up in 2009, Kickstarter has expanded to several countries including the UK and collected $982m from more than 5.6 million people for more than 56,000 projects, according to its website.

The most successful projects include games console Ouya, which raised $8,596,474, and the Pebble Watch, which raised $10,266,845.

Those pitching on the site typically offer things like early access to products and services rather than shares in the business in return for pledges of support.

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy