Nowadays, it’s usually not a question of if, but when. Every organisation, every website, they will all eventually find their IT security compromised one way or another. This time it is Kickstarter. In a message to all it users, Kickstarter revealed that they were informed by law enforcement officials on 12 Feb 2014 about the security breach. They have since closed the security breach and taken steps to strengthen security measures.
Kickstarter’s message also sought to reassure users that no credit card data was accessed, and that there were no unauthorised activity.
If you are a Kickstarter user, you should immediately change your password. The encrypted passwords were accessed by the attackers, so it is possible for them to crack your password, particularly if it was an easy one. Other information accessed by the attackers include usernames, email addresses, mailing addresses and phone numbers.
Here’s the message sent by Kickstarter.
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.
No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
As a precaution, we have reset your Facebook login credentials to secure your account. No further action is necessary on your part.
We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.
Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at firstname.lastname@example.org.
I’m sure some users will be mad about the revelation of their personal particulars like mailing addresses and phone numbers. On the other hand, it is fortunate that the incident did not involve the leak of credit card or other payment information, at least as reported by Kickstarter.
As I wrote at the start, such security breaches are no longer a question of “if”, but “when”. The best approach for any IT organisation is to plan their security strategy on the assumption that their defences will be broken. They need strong compartmentalisation and containment. They need pre-emptive monitoring, and they need good incident response.
There are many things not yet revealed about the Kickstarter incident. Details such as how the attackers gained access, how were passwords encrypted, why the breach was not detected internally, etc. Hopefully Kickstarter will share more information so that others can learn.