Kickstarter Site Hacked, Passwords Stolen

Kickstarter, a popular site for raising money for technology and art projects, has been hit by hackers. The site says no credit card information was compromised but warns users to review their passwords.

Kickstarter is a popular "crowdfunding" web site. It lets members of the public pledge money towards a project, usually as a pre-order for a finished product; the pledgers only have to hand over the cash if the project reaches a set funding target.

The most successful such project was Pebble, a wristwatch device that used Kindle-style electronic ink to display information from a smartphone, such as new emails or text messages, without the user having to get their phone out of their pocket. Kickstarter users pledged more than $10 million towards the project.

Passwords, User Names, and Emails Stolen

In both a blog post and an email to registered users, Kickstarter chief Yancey Strickler said hackers had breached security and accessed customer data. This included usernames, email addresses, phone numbers and physical addresses. (Source: kickstarter.com)

The hackers were also able to access passwords, though these were stored in an encrypted format. Strickler said this was done using a range of techniques including password salting, which randomizes the text of the passwords against an encryption algorithm when they are stored in a database.

Salting Technique May Only Delay Hackers

The advantage of password salting is that it becomes very difficult, if not computationally infeasible to decrypt a password. If done properly, all passwords are encrypted with a unique and random salt, which is then hashed against an algorithm.

That means if one password is decrypted, the same salt can't be used to decrypt another password. Instead, hackers must try out every possible combination of letters, numbers and characters using what's called a brute force attack, until a solution is reached.

Salting greatly increases the time hackers will usually take to crack the passwords, though hackers that have access to super-computers (or a botnet which could form a super-computer) could feasibly carry out a brute force attack in order to crack passwords.

Password Breach Could Affect Other Sites

With that in mind, Kickstarter is warning all users that they should change their password on the site. If they use the same password on other sites -- which is considered bad security practice -- they should change it on the other sites as well.

The big fear is that the hackers may take the combinations of user name and decrypted password and try it out on other sites such as email services where they could access sensitive details. (Source: reuters.com)

Some Kickstarter users didn't have a password but instead connected their Kickstarter account to their Facebook account. That meant they were logged in to Kickstarter automatically as long as they'd recently accessed Facebook. Kickstarter has temporarily disabled that feature, so users will need to reconnect their accounts.

Fortunately no credit card data was stolen in the breach. Kickstarter only stores card data for projects outside the US; even then, it only stores the final four digits of the card number, plus the expiration date.