Kickstarter bug exposed data from over 70,000 early projects

kickstarter logo trackpad

Crowdfunding darling Kickstarter suffered its first significant security issue last week, when a bug in the company’s API made information available on over 70,000 unreleased projects.

Luckily, the bug didn’t make personal or financial information available, and it was mostly used by a Wall Street Journal reporter who alerted Kickstarter of the issue, the company revealed on its blog yesterday.

“The bug was introduced when we launched the API in conjunction with our new homepage on April 24, and was live until it was discovered and fixed on Friday, May 11, at 1:42pm,” Kickstarter co-founder Yancey Strickler wrote. “The bug made accessible the project description, goal, duration, rewards, video, image, location, category, and user name for unlaunched projects.”

The security lapse isn’t a big deal in the grand scheme of things. The attack on Sony’s PlayStation Network affected more than 100 million users, 12.3 million of which had credit card data stored within the network. Outside of the WSJ reporter’s findings, Kickstarter claims only 48 projects were accessed via the bug.

But this bug is the sort of thing that could make some users a bit more wary of the site — especially as they need to watch out for scam projects on Kickstarter as well.

Users affected by the security lapse don’t seem too concerned though. Speaking to the Wall Street Journal, teacher and musician Sam Billen said, “I’d expect things like [the breach] to happen as they’re growing. It’s probably a one-time thing. But I think there are possibly some bigger projects out there where it might have been a bigger issue.”

Photo via aTrackt project on Kickstarter