Users can draw some comfort from the fact that their passwords were hashed rather than encrypted, as Kickstarter indicated in its first statement (if you’re wondering why you should draw comfort from that read our article on how to store your users’ passwords safely). More recent passwords are hashed with bcrypt. Older passwords were uniquely salted and digested with SHA-1 multiple times. In an update to their earlier statement Kickstarter published some details of how the passwords were hashed: It’s understandable that they would want to seal the breach and discover enough about what happened to provide accurate advice to their users but when the dust settles they will need to explain why an earlier, precautionary reset of users’ passwords wasn’t in order. We don’t know enough to say if Kickstarter was in a position to tell customers about the data loss any earlier but it is, at the very least, regrettable that the attackers have gained four days head start. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.įew details are available about the breach but we do know that the company was informed about the unauthorised access on 12 February 2014 and that users had to wait four more days to find out for themselves. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. While no credit card data was accessed, some information about our customers was.
There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts. No credit card data of any kind was accessed by hackers. Kickstarter users should change their passwords immediately. Crowdfunding site Kickstarter has revealed that hackers gained unauthorised access to customer data earlier this week.Ĭompromised details include usernames, email addresses, mailing addresses, phone numbers and password hashes.
0 kommentar(er)
