Kickstarter has suffered a major security breach, the crowdfunding site admitted to members in an email circulated yesterday.
Re/code reports that a wedge of customer data was pinched, including usernames and passwords (which were encrypted), email addresses, snail mail addresses and telephone numbers.
Kickstarter didn’t say how many members were affected by the breach, although it did make it clear that no financial details were spilled.
A post on the official Kickstarter blog clarified: “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorised activity of any kind on all but two Kickstarter user accounts.”
As the passwords were encrypted, accessing a Kickstarter account which has had its password leaked won’t be a trivial affair – providing the password isn’t overly simple, in which case it could be susceptible to either being guessed or cracked by brute force.
At any rate, Kickstarter is recommending that members change their password as a precautionary measure – and to change any other accounts which use the same password (of course, this is why you should never reuse the same password across different accounts – if one is hacked, then they’re all compromised).
As to who was responsible for the hack, no details were offered.
The security breach was uncovered on Wednesday night, but Kickstarter waited until the weekend to notify folks because it said that it wanted to “thoroughly” investigate the leakage. The crowdfunding site did note that the breach was “immediately” closed, though.
Kickstarter apologised in the blog post, stating: “We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.”