Kickstarter urges users change their passwords after hack attack

Crowdfunding site Kickstarter has posted a security notice revealing hackers gained access to its customer database and is urging all users to immediately change their passwords.

According to a post on the company’s official blog, the attack was first noticed by law enforcement officials last week.

In the post, Kickstarter chief executive Yancey Strickler says the website immediately closed the security breach and installed new security measures.

“While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.

“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.”

The website is keen to point out that the attack appeared to centre on just two accounts, and no credit card information was stolen in the attack.

“We set a very high bar for how we serve our community, and this incident is frustrating and upsetting,” Strickler says.

“We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come.”

In a further statement, the website explains that it only stores the last four digits and expiry dates of credit cards rather than full credit card numbers, and these were not accessed as part of the attack.

The site says it uses strong encryption on stored passwords, which are salted multiple times with SHA-1 and hashed with bcrypt.

The owners of both of the directly impacted accounts have been contacted directly.