updated 08:11 pm EST, Sat February 15, 2014
Payment details not taken by hackers in Kickstarter intrusion
Customer data from popular crowd-funding site Kickstarter, famous for helping launch the Ouya and Pebble smart watch, has been taken by hackers, the company has revealed. Usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords of a number of accounts were accessed in the intrusion, though the company stresses in a blog post that payment information, such as partial credit card numbers, were not taken in the attack.
It was not revealed how the site was breached, but it is said that the vulnerability was closed on Wednesday after law enforcement officials contacted Kickstarter. The extent of the attack appears to be minimal as a later update states that just two accounts were compromised, with the company helping the account holders secure their details, but the company is still taking precautions in case more are affected.
Pebble smart watch, a Kickstarter-funded project
Since passwords were taken in the intrusion, Kickstarter CEO Yancey Strickler strongly recommends "that you create a new password for your Kickstarter account, and other accounts where you use this password." Older passwords were "uniquely salted and digested with SHA-1 multiple times," with newer passwords hashed with bcrypt. Full credit card numbers were not stored on the site, except for the last four digits and expiry dates of credit cards for users outside of the US, but this was not accessed. The site has also reset all Facebook credentials as an extra precaution, with users of the social network's login feature needing to reconnect their account.
The hacking of Kickstarter comes after a number of other high-profile intrusions in recent months. Account details for Yahoo Mail and Snapchat were found to have been taken during similar incidents last month, while a breach at retailer Target saw millions of customer records, including credit and debit card information, pulled by attackers.