Kickstarter Hacked, Customer Data Exposed, Credit Card Info Reportedly Safe
The company stated that no credit card information was stolen, although user information including usernames, passwords, email addresses--and even physical mailing addresses, phone numbers, and encrypted passwords. Thankfully, those passwords were encrypted (salted and digested multiple times with SHA-1, with more recent passwords hashed with bcrypt), but of course armed with all of your information, a hacker could possibly crack your password if it isn’t strong enough.
Worse, that’s a lot of phishing bait to lose track of.
Kickstarter was effusive in its apology and assured users that it has “since improved our security procedures and systems in numerous ways”. It’s also working with law enforcement on the situation,
One galling note about this hack, though, is that Kickstarter knew about it as early as Wednesday night and just got around to telling customers about it. (I received an email just within the last hour.) That’s two and half days of head start for those who pilfered user data.