Crowd-Funding Site Kickstarter Hacked

Monday, February 17, 2014

Pierluigi Paganini

03b2ceb73723f8b53cd533e4fba898ee
The crowd-funding site Kickstarter has been Hacked! The company suggested to its users to change their password.

The popular crowd funding website Kickstarter is the lastest victim of a data breach. All users are invited to change their passwords to avoid further problems. The news has been confirmed by the CEO of Kickstarter, Yancey Strickler, who revealed the company has been hacked by an unknown hacker last week.

Kickstarter is a platform for raising funds for a private project, users pledge a variable amount of money in return for certain levels of rewards from the project owner. During the account creation phase supporters provide their credit card information, the data is used to charge the cards once a specific project they have supported reaches its funding goal.

Kickstarter

Kickstarter published an official announcement confirming the data breach and highlighting that no credit card information was stolen. Though the hackers have stolen users’ personal information, the company hasn’t found evidence of unauthorized activities on accounts.

“On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.”

Kickstarter has more than 5.9 million registered users. While the company hasn’t provided information on how many accounts were compromised, it is clear that the situation could be very serious.

Data stolen by the hackers included usernames, phone numbers, email addresses, mailing addresses and encrypted passwords of the users. 

Kickstarter’s team members confirmed that older users’ passwords were encrypted using salted SHA1 algorithm and that newer users’ passwords are encrypted with a stronger hashing algorithm called ‘bcrypt’.

As usual it is recommended victims change passwords on Kickstarter and on any other web service that shares the same credentials to avoid a domino effect as hackers could attempt to crack the encrypted passwords.

Despite Kickstarter notification Wednesday night, people were informed on Saturday because the company preferred to immediately close the breach and notify everyone as soon they had thoroughly investigated the situation.

For those users that log-in to Kickstarter with Facebook there are no problems. As a precaution the company has reset all Facebook login credentials so it is enough for the users to reconnect when they come to Kickstarter.

Stay tuned!

This was post was edited and cross-posted from the Security Affairs blog. 

6523
Firewalls IDS/IDP Network Access Control Network->General SCADA
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.