Kickstarter breached, CEO warns encrypted passwords can be cracked
After popular crowdfunding platform Kickstarter announced on Saturday that it experienced a breach, all users are being urged to change their passwords, even though the company uses encryption.
Current passwords are hashed with bcrypt, but older passwords were uniquely salted and digested multiple times with SHA-1, Yancey Strickler, CEO of Kickstarter, wrote in a security notice posted on the website and sent to all registered users.
“Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one,” Strickler wrote.
Law enforcement officials alerted Kickstarter on Wednesday night that an unauthorized party gained access to the company's information, which included usernames, email addresses, mailing addresses, phone numbers and encrypted passwords, but did not include payment card data, according to Strickler.
The breach was immediately locked down and Kickstarter quickly began taking measures to enhance security, Strickler said. He added that users who logged in with Facebook have not been compromised and that those credentials have only been reset as a precaution.
A law enforcement investigation is ongoing, but as of now only two Kickstarter accounts have been compromised, Strickler wrote, explaining that the company was in touch with those users and has secured their accounts.
Strickler said Kickstarter waited roughly four days before announcing the breach to ensure that the issue was rectified and the matter was properly investigated. It is considerably quick for a breach notification when compared to other recently compromised entities that waited as long as several months.
In a statement emailed to SCMagazine.com on Monday, Patrick Thomas, security consultant at mobile and cloud security company Neohapsis, wrote that he was impressed with Kickstarter's timely notification, as well as its clear messaging and proper password handling.
“Kickstarter explained in clear terms what was and was not affected, and gave straightforward actions for users to follow as a result,” Thomas wrote. “Kickstarter's move to bcrypt for more recent passwords is particularly encouraging. It builds in the idea of strong unique salts and a scalable work factor, so that defenders can easily dial up the amount of computation required to try out a hash as computers get faster.”