Kickstarter Resets Passwords After Data Breach at Crowd-Funding Site
Hackers breached the crowd-funding site's network and stole its users' credentials, but not card information, according to the company.Micro-investing site Kickstarter acknowledged on Feb. 15 that attackers had compromised the company's systems and accessed users' personal data, including names, addresses, phone numbers and encrypted passwords. An unnamed law enforcement agency contacted the company on Feb. 12, revealing to the firm that its systems had been breached. In a statement sent to users, Yancey Strickler, CEO of Kickstarter, apologized for the security lapse, but stressed that no credit-card information had been accessed by the attackers and the passwords had been encrypted. "Actual passwords were not revealed," Strickler said. "However, it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one." Suffering a breach has almost become a rite of passage for online services. In the past two years, online firms that suffered major compromises include file-sharing site Dropbox, cloud-storage site Evernote, business-networking site LinkedIn, group-discount site Living Social, global news and analysis site Stratfor, and question-and-answer forum Yahoo Voices, to name just a few.
While LinkedIn faced a $5 million class-action lawsuit, since dismissed, for failing to properly hash user passwords, Kickstarter has apparently done most everything right, Patrick Thomas, security consultant at Neohapsis, stated in a blog post. The company notified its users within a few days of learning about the breach, used fairly strong password security and only stored limited data on their users, he said.