Kickstarter calls for password changes after data breach

On Saturday, crowdfunding giant Kickstarter warned users to change their passwords after criminals compromised account data.

In a blog post on Saturday, Kickstarter CEO Yancey Strickler said that criminals had compromised user data, and that the company learned of the breach only after law enforcement reported the problem.

From the post:

"On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system."

While it's good that Kickstarter resolved the problem that led to the breach, they haven't disclosed any details on the root cause. According to the warning, the breach impacted usernames, email addresses, mailing addresses, phone numbers, and passwords that were salted and digested with SHA-1.

It's possible that weak or obvious passwords could be cracked, so Kickstarter has encouraged everyone to perform a reset, and warned against password sharing. In addition, users who used Facebook to access their accounts will need to re-connect and enable access, as those credentials were reset over the weekend.

"We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again."

While law enforcement warned Kickstarter about the problem on Wednesday, the company didn't say how long the attackers had access to their servers. The concern is that due to password sharing between accounts, the credentials taken from Kickstarter could be used in Phishing campaigns or brute force attacks, such as those observed against Yahoo in January.


Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)