Hackers Steal Kickstarter Passwords

Crowdfunding service Kickstarter has told its users to change their passwords, after a breach saw protected logins compromised.

Kickstarter was alerted to the hack by law enforcement on Wednesday and discovered two customer accounts had been tampered with but no credit card information had been accessed.

Usernames, email addresses, mailing addresses, phone numbers and encrypted passwords were compromised, however.

Kickstarter sorry

“We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting,” Kickstarter CEO Yancey Strickler wrote in a blog post.

“We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”

Older passwords were salted with SHA-1 multiple times, the firm said, whilst more recent passwords were hashed with bcrypt, which should stand up better to brute force attacks.

Troy Hunt, web security expert and Microsoft Most Valued Professional, said he was impressed by Kickstarter’s response to the breach.

“I think they’re handled it very well… very early communication, very clear about what they know and also very remorseful without trying to throw blame,” Hunt told TechWeekEurope.

“Also, sharing the hashing implementations was a very transparent move, question is whether they were ‘sufficient’.”

Yet Hunt said “the only safe assumption at the moment is that someone has everyone’s passwords”.

Online crooks have become increasingly adept at cracking encrypted passwords, largely because the tools they use get better with each breach, as they learn patterns of people’s password choices.

Are you a security expert? Try our quiz!