Yancey Strickler, Kickstarter CEO, said in a blog that law enforcement officials contacted the company last week to alert that there had been a breach, with the attackers gaining unauthorized access to some customers' data. The company said it has closed the gap, the company said.
Strickler emphasized the narrow scope of the hit: only two user accounts were broken into. And, no credit card data of any kind was accessed by hackers, he said.
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, the company stores the last four digits and expiration dates for credit cards. None of this data was in any way accessed, according to the company's CEO.
“While no credit card data was accessed, some information about our customers was,” he said. “Accessed information included usernames, email addresses, mailing addresses, phone numbers and encrypted passwords.”
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt. “Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler noted.
Users should take precautions and create new passwords for their Kickstarter account, and other accounts where the same password may be used. As a precaution, Kickstarter itself reset all Facebook login credentials; Facebook users can simply reconnect when they come to Kickstarter.
“We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting,” said Strickland. “We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”
The Kickstarter team has responded to more than 5,000 inquiries about the news so far.