Kickstarter, the major crowdfunding service for video games and more, has been hacked.
The company announced on its blog that hackers had found their way into certain parts of its database last Wednesday. The good news is that no credit-card or payment info was accessed, but the bad news is that some customer’s usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords were.
“We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again,” said Kickstarter in the blog post.
Kickstarter stresses that only encrypted passwords, and not actual passwords, were accessed, but added that “it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.” It suggested as a precaution that everyone change their password, just to be safe.
Furthermore, Kickstarter was happy to answer some of the most frequent questions it was getting from its customers on its blog, specifically:
- Passwords were protected in one of two ways. Old passwords were salted and hashed with the SHA-1 protocol and newer passwords were hashed with bcrypt
- It took 4 days to alert customers because they had to wait until they’d “thoroughly investigated the situation.”
- Two accounts showed (unspecified) unauthorized activity; both of those accounts have been re-secured.
- If you use Facebook to login to Kickstarter, the company says your FB account hasn’t been compromised. They’ve reset all Facebook tokens, which severs any ties Kickstarter has to your Facebook account until you manually give it permission again.