Probably the most globally recognized crowdfunding website in the world, Kickstarter, today announced that they had been compromised by hackers and that user data had been stolen. We have talked about countless Kickstarter projects and even talked with some experts on how to launch a proper tech Kickstarter, we’ve even backed a few ourselves. Kickstarter is absolutely enormous now, with them stating that since their launch in 2009 they have funded over $981 million in projects backed by more than 5.6 million people, funding more than 56,000 creative projects. So, obviously they look like a pretty juicy target to go after.
While they didn’t give details about the hack itself, they did plug the hole as quickly as they were made aware of the issue by the authorities. Usually, though, most websites are aware that they’ve been hacked and that there was a vulnerability before the police know, so it appears that there was a clear lapse in security somewhere (ignoring the actual vulnerability itself).
What’s more frustrating is that we were made aware of this fact well in advance of the email that Kickstarter had actually sent out to users. You would think that users should be among the first to know that their data has been compromised, especially on a marketplace like Kickstarter. Don’t forget, Kickstarter has a lot of people’s credit card information, although if you protected yourself through a secondary payment method you don’t have much to worry about.
In an email titled, Important Kickstarter Security Notice the people at Kickstarter notified users of their data breach. In the email they talk about how they found out about the breach on Wednesday from law enforcement and didn’t decide to start emailing users until I guess late Saturday night/Sunday Morning? Sure, this is still better than some of the other breaches, namely Target’s, but this could deal a pretty significant blow to Kickstarter’s reputation. In the email, they state, "No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password."
Here, you can see that users’ passwords were properly encrypted and that people’s usernames, email addresses, mailing addresses, phone numbers and passwords were stolen. To me, this breach appears to have been an attempt to gain access to Kickstarter’s audience which very likely has disposable income to spend on backing projects. As such, people should be very careful with their accounts and should change their password on Kickstarter and/or any other sites that share those same login credentials. The truth is that very few things out there today are very secure and users need to step up their security methods if they want to ensure a more secure digital presence for themselves. The first step would be to enable two-factor authentication on any and every service that offers it, and then going from there.
Hopefully this doesn’t hurt Kickstarter’s relationship with the crowdfunding community, especially considering that there are other crowdfunding services out there that want to compete for Kickstarter’s business. If Kickstarter loses the respect of the community they will go somewhere else. You can also bet that we will see other crowdfunding sites beefing up their security make sure that they don’t suffer a similar breach. We may even see them advertising their security measures or privacy implementations that protect users from such breaches in the future. Either way, it looks like nobody is safe from hackers and everyone needs to protect themselves as much as possible.