Kickstarter kicked by attack
Crowd-funding site Kickstarter has become the latest high-profile Internet property to call on users to reset their passwords, after announcing that an attacker had made off with user data.
However, the site is at pains to emphasise that attackers won’t have access to credit card data.
In this announcement, the company’s Yancey Strickler says it was alerted by law enforcement on Wednesday night, February 11, that customer data had been obtained by attackers.
“While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one”, Strickler writes.
According to Reuters, Kickstarter retains the last four digits of non-US credit cards, but this wasn’t accessed.
Older passwords were salted and digested with SHA-1 multiple times, the post states, while newer passwords are hashed with bcrypt.
Kickstarter did not provide any details of how the compromise occurred, nor did it detail how many accounts may have been swept up in the data slurp. Strickler’s post also apologises to users, calling the breach “frustrating and upsetting.” ®