Kickstarter Hacked, Customer Information Compromised

Kickstarter Hacked, Customer Information Compromised

cybercrime

Kickstarter, the major crowdfunding service for video games and more, has been hacked.

Well, we've got another big name corporation to add to the "has been hacked" list, and this time it's crowdfunding giant Kickstarter. Kickstarter has announced on its blog that hackers had found their way into certain parts of its database last Wednesday. The good news is that no credit-card or payment info was accessed, but the bad news is that some customer's usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords were.

"We're incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again."

Kickstarter stresses that only encrypted passwords, and not actual passwords, were accessed, but added that "it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one." It suggested as a precaution that everyone change their password, just to be safe.

Furthermore, Kickstarter was happy to answer some of the most frequent questions it was getting from its customers on its blog, specifically:

  • Passwords were protected in one of two ways. Old passwords were salted and hashed with the SHA-1 protocol and newer passwords were hashed with bcrypt
  • It took 4 days to alert customers because they had to wait until they'd "thoroughly investigated the situation."
  • Two accounts showed (unspecified) unauthorized activity; both of those accounts have been re-secured.
  • If you use Facebook to login to Kickstarter, the company says your FB account hasn't been compromised. They've reset all Facebook tokens, which severs any ties Kickstarter has to your Facebook account until you manually give it permission again.

Source: Kickstarter Blog via Tech Crunch

Permalink

Well that stinks. So much hacking going on recently. Either security is not as good anymore or hackers are really working hard.

soulfire130:
Well that stinks. So much hacking going on recently. Either security is not as good anymore or hackers are really working hard.

Just like computer hardware and differing brands, network/server/account/etc security, and hacking tools, battle for who can be stronger....but yeah, so much hax.....

soulfire130:
Well that stinks. So much hacking going on recently. Either security is not as good anymore or hackers are really working hard.

Security will always be second rate compared to hacking in the same way that weapon technology will always be superior to armor.

IE it's really impossible to be completely safe. All additional security really does is serve as a deterrent for those who aren't particularly willful. But if someone wants to get in, then they'll get in eventually.

Dammit, time to change my Kickstarter password.

The only thing I used it for was to back Armikrog. No good deed goes unpunished.

Kopikatsu:

soulfire130:
Well that stinks. So much hacking going on recently. Either security is not as good anymore or hackers are really working hard.

Security will always be second rate compared to hacking in the same way that weapon technology will always be superior to armor.

IE it's really impossible to be completely safe. All additional security really does is serve as a deterrent for those who aren't particularly willful. But if someone wants to get in, then they'll get in eventually.

True. There will never be complete security.

But It seems they're going all out in the begining of the year though. First Target, now Kickstarter.

It could be worse though.

I don't really see why they waited four days. They could still advise that because something funky is going on, that to be safe you should change passwords. That allows them to continue investigating the breach and give a full update when they have it and still let the customers protect themselves as quick as quickly.

Somethingfake:
I don't really see why they waited four days. They could still advise that because something funky is going on, that to be safe you should change passwords. That allows them to continue investigating the breach and give a full update when they have it and still let the customers protect themselves as quick as quickly.

Maintaining complete transparency during an investigation will make solving it more difficult. It would throw the userbase into a panic, which would create increased traffic on the servers, and several groups would likely take credit for the attack (as they've been known to do). Remaining open about how one's company operates is generally a good thing, but maintaining the company's information confidentiality, integrity and availability should always take priority.

I know this is bad and all (I've backed several things on there myself)... but I just cant take this seriously because of that ridiculous stock photo. I just get the giggles every time I look at it.

soulfire130:
Well that stinks. So much hacking going on recently. Either security is not as good anymore or hackers are really working hard.

Security will always be in second place because it can't protect against what isn't known. Build a better mousetrap and you'll get smarter mice.

soulfire130:
Well that stinks. So much hacking going on recently. Either security is not as good anymore or hackers are really working hard.

As was shown back when people tried to hack Paypal, you can actually run a service with no security and if it gets breached sue the hacker for the money it costs to upgrade security and win the court case. so i guess more companies want free security upgrades too!

Yeah, but most people in the business really got no idea how to do things securely enough against professional hackers. ANd even then you are never completely safe. People do break even into pentagon database.

 

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here