Kickstarter hacked

robots kick groin nuts

Kickstarter announced today that they were hacked this past week.

Kickstarter is a crowdfunding platform company that was founded in 2009. They have been able to facilitate funding for over 50,000 projects to date. 

On Wednesday, February 12th they were contacted by law enforcement who informed them that their systems had been compromised.

Bad luck that. 

From Kickstarter:

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

 

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

While the post only points to a pair of accounts having unauthorized activity I'm curious if we will hear of more and how many passwords were in fact breached. A note later in the post states that older passwords are salted with SHA-1 while more recent ones are using bcrypt. The good news being that no financial data was reportedly compromised.

While it is a shame that yet another company like this has been popped, there is a theme developing here. LinkedIn, Evernote, Dropbox, Snapchat...and so on, all have something rather glaring in common. None of them have shared their lessons learned. I would happily eat my words if someone can prove me incorrect on this assertion. 

Why hasn't there been an open sharing for this type of information? Sure, they're not required to but, who does it benefit by not openly discussing the issues? Well, the attackers for one. Their game plan isn't being openly discussed and they can carry on their merry way. Now, kudos to Kickstarter for being as quick as they could in alerting their customers. I would also lovingly suggest to them and others that there should be a lessons learned discussion. 

This could go a long way to helping other organizations who might very well be in a similar predicament. How often do smaller companies have a dedicated security team? How often is the security team the same guy who wasn't fast enough to say "not it"?

While Kickstarter took a serious kick in the groin over this incident I see that this could be a very real opportunity for a wider discussion. Obviously, there is a demonstrated need. We see company after company being breached. This continual cycle of breaches has to come to a stop at some point. 

Doesn't it? 

(Image used under CC from www.jeremylim.ca)

Related:

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline