Kickstarter breached, CEO warns encrypted passwords can be cracked

Share this article:

After popular crowdfunding platform Kickstarter announced on Saturday that it experienced a breach, all users are being urged to change their passwords, even though the company uses encryption.

Current passwords are hashed with bcrypt, but older passwords were uniquely salted and digested multiple times with SHA-1, Yancey Strickler, CEO of Kickstarter, wrote in a security notice posted on the website and sent to all registered users.

“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler wrote.

Law enforcement officials alerted Kickstarter on Wednesday night that an unauthorized party gained access to the company's information, which included usernames, email addresses, mailing addresses, phone numbers and encrypted passwords, but did not include payment card data, according to Strickler.

The breach was immediately locked down and Kickstarter quickly began taking measures to enhance security, Strickler said. He added that users who logged in with Facebook have not been compromised and that those credentials have only been reset as a precaution.

A law enforcement investigation is ongoing, but as of now only two Kickstarter accounts have been compromised, Strickler wrote, explaining that the company was in touch with those users and has secured their accounts.

Strickler said Kickstarter waited roughly four days before announcing the breach to ensure that the issue was rectified and the matter was properly investigated. It is considerably quick for a breach notification when compared to other recently compromised entities that waited as long as several months.

In a statement emailed to SCMagazine.com on Monday, Patrick Thomas, security consultant at mobile and cloud security company Neohapsis, wrote that he was impressed with Kickstarter's timely notification, as well as its clear messaging and proper password handling.

“Kickstarter explained in clear terms what was and was not affected, and gave straightforward actions for users to follow as a result,” Thomas wrote. “Kickstarter's move to bcrypt for more recent passwords is particularly encouraging. It builds in the idea of strong unique salts and a scalable work factor, so that defenders can easily dial up the amount of computation required to try out a hash as computers get faster.”

Share this article:

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.