14 DAY TRIAL // As you might have heard by now, Kickstarter has been hacked. What’s interesting about this incident is that the breach hasn’t been identified by the crowdfunding website, but by law enforcement.
Fortunately, no financial information has been accessed, but the cybercriminals have obtained usernames, email addresses, physical addresses, phone numbers and encrypted passwords.
According to Kickstarter, the older passwords are “uniquely salted and digested with SHA-1 multiple times.” More recent ones are hashed with bcrypt. This means that it’s difficult for cybercriminals to decrypt the information, but the company advises users to change their passwords.
The FAQ published following the breach reveals that the accounts of at least two people have already been compromised.
As security expert Graham Cluley highlights, it took Kickstarter four days to notify users. The company learned of the breach on Wednesday, but alerted customer only on Saturday.
On one hand, it’s not uncommon for a breached organization to take a few days before alerting users just to make sure they can evaluate the full extent of the incident.
On the other hand, Kickstarter’s PR team might have intentionally waited until the start of the holiday weekend knowing that many tech journalists would only cover it on Tuesday, by which time the story is already old news.
An even more problematic fact regarding the delayed announcement is that the cybercriminals had four days to abuse the stolen information.
“During those four days – if you were unfortunate enough to be using your Kickstarter password on other websites – the criminals could have accessed your other online accounts, and stolen information from them,” Cluley explained.
“Furthermore, there was nothing to stop them from spamming you with malicious links or phishing attacks, as they now know your email address and other pieces of personal information.”