Micro-investing site Kickstarter acknowledged on Feb. 15 that attackers had compromised the company’s systems and accessed users’ personal data, including names, addresses, phone numbers and encrypted passwords.
An unnamed law enforcement agency contacted the company on Feb. 12, revealing to the firm that its systems had been breached. In a statement sent to users, Yancey Strickler, CEO of Kickstarter, apologized for the security lapse, but stressed that no credit-card information had been accessed by the attackers and the passwords had been encrypted.
“Actual passwords were not revealed,” Strickler said. “However, it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.”
Suffering a breach has almost become a rite of passage for online services. In the past two years, online firms that suffered major compromises include file-sharing site Dropbox, cloud-storage site Evernote, business-networking site LinkedIn, group-discount site Living Social, global news and analysis site Stratfor, and question-and-answer forum Yahoo Voices, to name just a few.
While LinkedIn faced a $5 million class-action lawsuit, since dismissed, for failing to properly hash user passwords, Kickstarter has apparently done most everything right, Patrick Thomas, security consultant at Neohapsis, stated in a blog post. The company notified its users within a few days of learning about the breach, used fairly strong password security and only stored limited data on their users, he said.
“Kickstarter appears to have done a pretty good job in handling user passwords, though not perfect,” Thomas said. “Password reuse across different websites continues to be one of the most significant threats to users and a breach like this can often lead to ripple effects against users if attackers are able to obtain account passwords.”
In an update to its original post, the company stated that older user passwords were hashed and uniquely salted with SHA-1, an algorithm known to have weaknesses, newer passwords were secured with the stronger bcrypt hashing function. In addition, the company did not store full credit-card numbers, so financial information was not at risk. Kickstarter recommended that all users change their password. CEO Strickler apologized to users for the breach.
“We set a very high bar for how we serve our community, and this incident is frustrating and upsetting,” he said. “We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.