Internet crowd source funding website Kickstarter has been hacked. Kickstarter has been used successfully to fund independent film and video projects through small user donations. Spike Lee recently used Kickstarter to bypass Hollywood studios that would not fund his projects. No credit card information was stolen but the cyber criminals did get usernames, passwords, email accounts and phone numbers. The company “immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.” The attack occurred earlier in the week but the company made the announcement Saturday, Feb. 15. Additionally, the Kickstarter.com website displays the following information under frequently asked questions (FAQ):
How were passwords encrypted?
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?
Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?
No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.