X

User data stolen in Kickstarter hack

The darling of the crowd-funding scene says that no credit card data was taken, but personal information is at risk.

Nic Healey Senior Editor / Australia
Nic Healey is a Senior Editor with CNET, based in the Australia office. His passions include bourbon, video games and boring strangers with photos of his cat.
Nic Healey

Kickstarter has announced that it was hacked over the weekend, with some user information being stolen.

(Credit: Kickstarter)

The site says that the data taken included usernames, e-mail addresses, mailing addresses, phone numbers and encrypted passwords but stressed that no credit card details were at risk.

Kickstarter says that the passwords were "hashed and salted" but notes that "it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one."

Locating local internet providers

Kickstarter is strongly recommending that all users change their password details. The site issued the following FAQ.

Locating local internet providers

How were passwords encrypted?

Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.

Does Kickstarter store credit card data?

Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.

If Kickstarter was notified Wednesday night, why were people notified on Saturday?

We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.

Will Kickstarter work with the two people whose accounts were compromised?

Yes. We have reached out to them and have secured their accounts.

I use Facebook to log in to Kickstarter. Is my login compromised?

No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.