Law enforcement agencies alerted the company to the breach last Wednesday, and the company subsequently informed its users by email on Sunday. The company's chief executive Yancey Strickler went onto apologise in full in a detailed blog post, where he stressed that while hackers had obtained customer passwords, phone numbers and addresses, “no credit card data of any kind was accessed”.
Only two Kickstarter user accounts are believed to have seen unauthorised activity, although the firm has urged all of its users to create new passwords for Kickstarter and other services which use the same password. The firm is now working closely with law enforcement agencies to find out who was behind the attack.
"We're incredibly sorry that this happened," wrote Strickler. "We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways.”
Kickstarter account holders will be relieved to learn that the website did at least store passwords in encrypted format (older passwords are uniquely salted and digested with SHA-1 “multiple times”, with newer passwords hashed with bcrypt), although veteran security researcher Graham Cluley says that this may not be enough to stop hackers.
“That means the passwords were not simply encrypted but actually cryptographically hashed,” he said, when writing for We Live Security. “That makes it harder (but not necessarily impossible) for a hacker to crack your password and exploit it."
Cluley added that the details alone would be enough for hackers to carry out a sophisticated social engineering attack, perhaps on companies seeking funding on Kickstarter, while Check Point UK managing director Keith Bird told journalists that the attack was the latest sign of users being vulnerable to phishing and spear phishing attacks.
Jason Hart, VP of cloud services at SafeNet, hopes that this latest breach sees firms switch their attention from perimeter-based defence.
“CIOs have long considered the best defence to be a good offense when it comes to handling security threats, so the vast majority of time and money is spent building the perimeter security measures that keep the outsiders from getting into the network,” Hart told SCMagazineUK.com.
“But in the new reality of security, the best offense is now the best defence and encryption is the key to that.”
Fujitsu UK and Ireland chief security officer David Robinson added that the hack is a sign that organisations are facing an “unprecedented challenge” in an age where consumer data trust is at an all-time low, "with an organised, criminal industry of experienced hackers working tirelessly to access their customer data,” said Robinson when speaking to SCMagazineUK.com.
“And that's only one side of the coin. Consumer tolerance for data loss is at an all-time low, with less than one in ten consumers thinking that organisations are doing enough to ensure their data is protected.
He added: “With consumers battling to understand the impact on their personal information if a company is hacked, there is no room for error anymore. To remain ahead of their competitors – and trusted in the eyes of the consumer – organisations need to ensure they are robust in their security.”
Kickstarter was founded in 2009 and has raised almost £600 million for more than 56,000 projects to date, according to its website. It also says that it has collected pledges for more than 5.6 million people.