Crowd-funding website Kickstarter has suffered a security breach that saw some user information including names, encrypted passwords, mailing addresses and phone numbers potentially revealed.
While it said that older passwords were uniquely salted and digested with SHA-1 multiple times, more recent passwords are hashed with bcrypt and credit card information was not accessed during the breach.
In a statement by CEO Yancey Strickler, he said that he was contacted by law enforcement officials last Wednesday night and alerted them that ‘hackers had sought and gained unauthorised access to some of our customers’ data’.
“Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system. No credit card data of any kind was accessed by hackers. There is no evidence of unauthorised activity of any kind on all but two Kickstarter user accounts,” he said.
“We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.
“We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again. Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it.”
Asked if this shows that the problem is in usernames being re-used, Malwarebytes security researcher Chris Boyd said: “While you could use a password manager as a form of ‘username manager’ and multiply the amount of usernames to sit alongside the passwords created, ultimately I fear many people find simply juggling multiple logins inside a management tool a bridge too far.
“We all want some sense of unity across our online lives given the large amount of logins we all have, and we’re all going to have the same username across sites and services to some degree. All we can do is deploy a password manager, make passwords as hard to guess as we can, resist using the same login across different URLs and make use of two step authentication and additional backups such as regional lockouts and picture passwords.
“Beyond that, if the service we use is compromised we can say we did all we could for our part, and the rest is up to how secure they made things prior to the breach. As long as you’re not using the same passwords across your own accounts, I don’t think your personal logins are significantly more at risk than if you’d used dozens of different usernames.”