Popular crowdfunding site Kickstarter sent a memo to all of its customers last night, informing them that hackers had gained access to some customer data, including usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.
“We’re incredibly sorry that this happened,” Kickstarter wrote in its email. “We set a very high bar for how we serve our community, and this incident is frustrating and upsetting.”
Fortunately, no credit card data was part of the breach, and Kickstarter believes only two customer accounts — yes, just two — saw unauthorized activity as a result of the breach. It has reached out to both of those customers and has secured their accounts.
Kickstarter learned of the hack on Wednesday, when an unspecified law enforcement agency or department contacted the company. It notified customers as soon as it had assessed the situation and secured the site, Kickstarter said in a FAQ about the hack.
The company did not state how many customer accounts were compromised. Kickstarter is the most popular crowdfunding platform around, with 5.6 million people who have backed over 56,000 successful projects, pledging $982 million to those campaigns since its launch in April 2009.
Kickstarter stores its passwords in an encrypted form; older passwords using the NSA-designed SHA-1 encryption algorithm and newer passwords with bcrypt, which uses an encryption algorithm designed by crypto-expert Bruce Schneier. The encryption provides some level of protection, but if you have a weak password — like many of us do — it’s a safe bet that the hackers will be able to decrypt it in short order. Stronger passwords may take longer to decrypt.
In either case, it’s a good idea to change your Kickstarter password right now.
And if you’re one of those people who uses the same password on multiple sites, shame on you. As penance — and for security — you should change your password on any other site where you’ve used the same password as you have on Kickstarter.
If you use Facebook to authenticate with Kickstarter, you’ll need to reauthorize Kickstarter via your Facebook account the next time you visit Kickstarter. Your Facebook data has not been compromised, Kickstarter says.