Online crowdfunding website Kickstarter has admitted that attackers have breached its computer systems and gained access to user data.
He explained the delay in notifying users by saying the organisation had notified everyone as soon as it had investigated the situation thoroughly, but did not comment on why Kickstarter’s own systems did not raise alerts about the breach.
The attackers were able to access some usernames, email addresses, phone numbers and encrypted passwords, but "no credit card data of any kind was accessed", wrote Strickler.
He said there was no evidence of unauthorised activity of any kind on all but two Kickstarter user accounts.
While no actual passwords were revealed, Strickler warned that attackers with enough resources would be able to guess or crack an encrypted password, particularly a weak or obvious one.
More on password cracking
“As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password,” he said.
Strickler described the incident as “frustrating and upsetting” and said Kickstarter had improved security procedures and systems in numerous ways, and would continue to do so.
“We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again,” he said.
Keith Bird, UK managing director of security firm Check Point, praised Kickstarter for notifying users and advising them to reset passwords via its website.
“It is wise to do this even though Kickstarter stored its passwords in encrypted form,” he said.
According to Kickstarter, older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
As a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password
Yancey Strickler, Kickstarter
Bird said users should be very cautious about clicking on links in any follow-up emails they receive that appear to come from Kickstarter or related organisations, no matter how plausible the emails appear to be.
“There’s a real risk that the details stolen in the hack may be used in phishing attacks to try to harvest more personal data,” he said.
Since it was set up in 2009, Kickstarter has expanded to several countries including the UK and collected $982m from more than 5.6 million people for more than 56,000 projects, according to its website.
The most successful projects include games console Ouya, which raised $8,596,474, and the Pebble Watch, which raised $10,266,845.
Those pitching on the site typically offer things like early access to products and services rather than shares in the business in return for pledges of support.