Kickstarter was hacked Wednesday night and the crowdfunding site advised users to change their passwords late Saturday afternoon.
The hack appeared limited to just two users’ accounts, Kickstarter said. While the company says that “No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts,” the hackers did gain access to other types of information — including “usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords.”
In a blog post, Kickstarter CEO Yancey Strickler offered a Q&A:
“How were passwords encrypted?
Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?
Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?
We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?
Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?
No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.”
Kickstarter said it’s improved its security measures and will continue to do so in coming weeks.