Kickstarter Hacked, Customer Addresses and Other Info Accessed

These days, it really seems we can’t go a week without some big site getting hacked. The latest target? Kickstarter.

Kickstarter announced on its blog (and via an email sent to customers) that hackers had found their way into certain parts of their database.

The good news: No credit card information was accessed — and even if it somehow would’ve been, Kickstarter doesn’t store full credit card numbers.

The not-so-good-news: they’ve detected that the hackers were able to access a database that contained usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. That “encrypted” bit is a bit of a plus — but given that no encryption is uncrackable with the right resources, you should absolutely change your password anyway.

Kickstarter says they were alerted to the breach by law enforcement officials (which law enforcement group, specifically, wasn’t mentioned) on Wednesday night, that they immediately closed the exploit that allowed the breach to occur, and that the last four days have been spent investigating exactly what was accessed.

Update: Kickstarter has updated its blog to answer a few questions that they were seeing a lot of. Here’s what we can glean from it:

  • Passwords were protected in one of two ways. Old passwords were salted and hashed with the SHA-1 protocol. Newer passwords were hashed with bcrypt
  • The company says it took 4 days to alert customers because they had to wait until they’d “thoroughly investigated the situation.”
  • Two accounts showed (unspecified) unauthorized activity; both of those accounts have been re-secured.
  • If you use Facebook to login to Kickstarter, the company says your FB account hasn’t been compromised. They’ve reset all Facebook tokens, which severs any ties Kickstarter has to your Facebook account until you manually give it permission again.