Skip to main content

Kickstarter Hit by Data Breach, User Accounts Compromised

Credit: Kickstarter, Inc.

(Image credit: Kickstarter, Inc.)

UPDATED 10:30 pm Sunday (Feb. 16) with response from Kickstarter.

Crowdfunding company Kickstarter revealed yesterday (Feb. 15) that hackers had broken into its computer systems and accessed user information.

"We're incredibly sorry that this happened," Kickstarter CEO Yancey Strickler said in a company blog posting. "We set a very high bar for how we serve our community, and this incident is frustrating and upsetting."

MORE: How to Protect Yourself from Data Breaches

Compromised Kickstarter user data included usernames, email addresses, mailing addresses, telephone numbers and encrypted passwords.

No credit-card data was accessed, although Strickler said in the blog posting that there had been "unauthorized activity" on two Kickstarter user accounts, and that those two users had been notified.

Law enforcement notified Kickstarter Wednesday night (Feb. 12) of the data breach, Strickler wrote, adding that "we have since improved our security procedures and systems in numerous ways."

Encryption transparency

Notably, an FAQ attached to Strickler's posting explained the forms of encryption used on the passwords — the relatively weak SHA-1 algorithm on older accounts, and the much stronger Bcrypt method on newer ones.

The SHA-1 passwords had been "salted" with random input data to foil password cracking, or decrypting; Bcrypt is automatically salted.

That's much more information about password encryption than companies usually give out during data breaches. Such transparency helps security professionals assess the risk of encryption cracking.

Still, as Strickler warned, "it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one."

Identity theft and account takeovers

Even without the passwords, the information taken in the Kickstarter breach is useful to identity thieves, who can use it to create new accounts under other people's names.

If any passwords are cracked, they can be used to hijack online accounts, since most people unwisely reuse passwords, usernames and email addresses for multiple online accounts.

"We strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password," Strickler noted in his blog posting.

One key piece of information was missing from Strickler's note: how many user accounts overall were affected. An email to Kickstarter seeking that figure was not immediately returned.

Founded in 2009, Brooklyn-based Kickstarter facilitates mass funding of artistic and technological projects, taking a cut of 5 percent for itself.

Kickstarter's successes include the Pebble smartwatch and the Ouya Android-based home gaming console, both of which are now commercially available. Several video games funded by Kickstarter are in development.

A Kickstarter-funded feature film based on the "Veronica Mars" TV series opens in theaters next month.

UPDATE: Responding to our query regarding the number of Kickstarter accounts affected by the data breach, a spokesman for Kickstarter referred us to Strickler's original blog posting.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.