Forgot your password?
typodupeerror
Security

Kickstarter Security Breach Exposes Customer Data 63

Posted by Soulskill
from the if-only-there-were-a-way-to-crowdfund-better-security-precautions dept.
New submitter jbov writes "Kickstarter members received an e-mail at about 16:40 EST notifying them of a security breach. According to the e-mail, information including user names, encrypted passwords, mailing addresses, and phone numbers may have been revealed. Kickstarter members were urged to change their passwords. 'Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.' Kickstarter claims that credit card information was not accessed during the breach. According to Kickstarter, law enforcement officials contacted the company on Wednesday night and alerted them that 'hackers had sought and gained unauthorized access to some of our customers' data.' Upon learning of the breach, Kickstarter closed the security breach and began strengthening security measures."
This discussion has been archived. No new comments can be posted.

Kickstarter Security Breach Exposes Customer Data

Comments Filter:
  • at least .. (Score:5, Insightful)

    by thephydes (727739) on Sunday February 16, 2014 @12:15AM (#46258095)
    they did the right thing and contacted all the people who use KS and advised them to change their login. Unlike Adobe who still haven't contacted me....... With influence comes responsibility - KS has taken responsibility, Adobe never did.
    • by Anonymous Coward

      Unlike Adobe who still haven't contacted me....... With influence comes responsibility - KS has taken responsibility, Adobe never did.

      Not only did Adobe contact me via E-mail very shortly after the breach but they also snail mailed me a physical letter about what happened.

    • by Anonymous Coward

      I've backed several Kickstarter projects and I have not received an email.

      • by snemarch (1086057)

        Considering how many users KS have, there might still be a few mails in the outgoing queue?

        I received the "uh oh, we've been hacked" mail yesterday 22.30, GMT+1.

  • Kickstarter stores information about Amazon accounts and the like, too. This could be pretty serious.

    AND, they should be held legally responsible. Really, as a society we have to start doing that.
    • Re:Was that ALL? (Score:5, Informative)

      by dbc (135354) on Sunday February 16, 2014 @12:51AM (#46258175)

      Ummmm.... no, Amazon stores your Amazon acount info. KS doesn't even store whole credit card numbers.

      • "Ummmm.... no, Amazon stores your Amazon acount info. KS doesn't even store whole credit card numbers."

        Um, yes. In order to actually operate a Kickstarter project, you are required to give them details of an Amazon account. They only accept and transfer money via Amazon.

        You don't give them your password. But the other account details are more pieces of your personal puzzle that thieves can use to try to access various account(s) of yours.

        • by _Shad0w_ (127912)

          Given you login to Amazon using your e-mail address...

          • "Given you login to Amazon using your e-mail address..."

            No, you're missing the point. This is how these hackers work, more or less:

            1) They get your account information from one source. Preferably with password (as they did from Kickstarter).

            2) They try that password on the various accounts they have information for. They can also try to brute-force your passwords, or use "social engineering" to get the password for an account or change it to one of their own.

            3) Profit.

            So, yeah... it can be damaging to even just have the name of your Amazon account.

        • by tlhIngan (30335)

          Um, yes. In order to actually operate a Kickstarter project, you are required to give them details of an Amazon account. They only accept and transfer money via Amazon.

          No, they use Amazon PAYMENTS, which while requiring an Amazon account, does not need the originating site to know it.

          What happens is KickStarter forwards your pledge amount to Amazon. Amazon then asks you to log in and find out your method of payment and all that. It then gives the site back a payment token. Kickstarter uses that payment tok

          • "No, they use Amazon PAYMENTS, which while requiring an Amazon account, does not need the originating site to know it."

            No shit, Sherlock. I was talking about the person who had the kickstarter project (the payee), not the people making payments. I said so.

  • Hmm. I have a Kickstarter account, but I haven't gotten a notification email, so far.

    • by Anonymous Coward

      consider this article as a notification?

    • by Mr Z (6791) on Sunday February 16, 2014 @01:15AM (#46258251) Homepage Journal

      The notifications seem to be going out in waves, slowly. I'm not sure why. Across three folks I know (including myself) with Kickstarter accounts, the emails themselves all seem to have gone out within minutes of each other, but one of them arrived just minutes ago.

      I'm guessing with the volume of emails, it got throttled along the way. You can see this in the Received: headers:

      Received: from o2.e2.kickstarter.com (o2.e2.kickstarter.com. [74.63.202.49])
      by
      xx.example.com with SMTP id xxxxxxxxxx
      for <
      username@example.com >;
      Sat, 15 Feb 2014 21:49:50 -0800 (PST)
      ...
      Received: by filter-219.sjc1.sendgrid.net with SMTP id
      xxxxxxxxxx
      Sat, 15 Feb 2014 21:18:46 +0000 (UTC)
      Received: from MTEzNDg (unknown [10.42.83.122])
      by localhost.localdomain (SG) with HTTP id
      xxxxxxxxxx
      for <no-reply@kickstarter.com>; Sat, 15 Feb 2014 21:18:46 +0000 (GMT)

      Notice that the earlier time stamps (corresponding to when the emails were generated) are around 21:18 GMT, but the arrival timestamps are around 21:49 PST, about 8 and a half hours later. And that's about how far apart our emails arrived. I imagine more are in the queue.

      (And yay crapflooders for making it impossible to format things usefully in Slashdot comments.)

      As far as passwords go, I'm not worried about anyone actually hacking my Kickstarter password. It's a password unique to Kickstarter, and it was generated at random.org as a 13 character mixed-case alphanumeric password. Good luck reverse-hashing that. Even if you do, it won't get you much.

      • by Zumbs (1241138)
        Maybe they want to avoid getting their mail servers marked as spam servers?
  • by Dunbal (464142) *
    What does this mean for Star Citizen funders? lol
    • by nschubach (922175)
      The same as it does for any other Kickstarter founder... Actually it may be less since Star Citizen started (and obtained) their goal independently before going on Kickstarter.
  • PKI (Score:2, Insightful)

    by Anonymous Coward

    Why are we not using public private key infrastructure for online logins yet????? It's 2014, most people have been online for nearly twenty years and human beings are still using passwords that have to (generally speaking) be memorized which leads to poor password choices and repetition. This problem should have been solved YEARS ago.

    • by brunes69 (86786)

      I have a better question. Why does Kickstarter store IDs or passwords AT ALL. Why do they not mandate federation.

      They have Facebook login, but no Google or OpenID login. Why? And if I am using Facebook login then why do I STILL need to create a stupid Kickstarter.com password, I should be able to ONLY use Facebook.

      Why do so few websites do ID federation properly. It is simply one of the best security options we have today, it makes life SO MUCH EASIER for the user, yet no sites properly use it.

      • by godel_56 (1287256)

        I have a better question. Why does Kickstarter store IDs or passwords AT ALL. Why do they not mandate federation.

        They have Facebook login, but no Google or OpenID login. Why? And if I am using Facebook login then why do I STILL need to create a stupid Kickstarter.com password, I should be able to ONLY use Facebook.

        Why should we have a system with a single point of failure, when it makes it much harder for intruders if they have to break into every site and account separately?

        Also, fuck Google, Facebook etc. They already have more than enough information about me.

      • by Cammi (1956130)
        Kickstarter website does not have competent IT.
  • by Anonymous Coward

    Kickstarter was nice enough to require you to use email as your login!

  • by viperidaenz (2515578) on Sunday February 16, 2014 @03:03PM (#46261141)

    and your email address
    and your phone number
    and your mailing address.

    Thank you for being a part of Kickstarter.

  • Still waiting for the email ...

Facts are stubborn, but statistics are more pliable.

Working...