Announced on the official Kickstarter blog earlier today, the popular crowdfunding site has been hacked by an unknown party earlier this week and law enforcement officials are currently investigating. According to Kickstarter co-founder Yancey Strickler, data accessed and potentially stolen from the company servers included usernames, email addresses, mailing addresses, phone numbers and encrypted passwords. Perhaps the only silver lining of the incident was that no credit card data was accessed or stolen from users that previously backed Kickstarter projects.
However, the thieves could attempt to crack the encrypted passwords, thus providing them access to a password that’s linked a specific user. Since many people use the same or similar passwords on various sites around the Web, that Kickstarter password would be reused at another popular site like social networks for instance. Detailed on the blog, Strickler is encouraging users to reset their password on their Kickstarter account as well as any site on which that password is also currently used.
Apologizing directly for the incident, Strickler said “We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.”
If any Kickstarter users have a question about their personal data, a FAQ has been added to the bottom of the blog post. Interestingly, Kickstarter does not store full credit card numbers for pledges on U.S based projects, but does store data for pledges on projects outside of the United States. That data includes the last four digits of the credit card account number in addition to the expiration date on the card.