Skip to main content

Kickstarter hacked, user data stolen but credit card info is safe

Kickstarter has posted to their blog this afternoon with a message nobody ever likes to read. Authorities alerted them that hackers had breached their system, and some of their customer data had been stolen. 

No credit card information was taken, but user names, user email addresses, phone numbers, physical addresses and the encrypted version of user passwords were taken. Per Kickstarter:

Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

Kickstarter says they first learned about the attack and subsequent breach late Wednesday, and were immediately able to shut down the point of attack and start working on analyzing and strengthening the systems. They go on to stress that no credit card data was stolen, as they do not store the full credit card number.

They've posted a FAQ at their blog, which everyone who has used Kickstarter — and that's a pretty big number of people — needs to read. Hit the source link below for that, and any other information they may add in the future.

Source: Kickstarter

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • That I'd not good. Mainstream media, (NBC, AbC) will twist the f*** out of this story. -----------------------------------------------------------------------------------
    Posted via my thumbs and Google Keyboard. (Defective) N7 2013
  • +10 Sent from my Nexus 7 2013 or iPhone 5
  • Sometimes you don't even need to crack the password to gain access to accounts thanks to Pass-the-Hash attacks. They got all the hashes they need, if successful, they won't even need to crack the password.
  • Yeah, not impressed. I guess this would be a reason to use a different password for every website. Who does that? Ugh.
  • A site called learningcameras has info on how to have a different password to every site without having to remember more than 1 password. The secret is a password string. You can find the article in the tips section. I now hardly ever care if my password is stolen, but having your address and phone number stolen sucks Posted via Android Central App
  • I had considered this a while ago and quickly discarded that thought for a simple reason.... the "secret" is so obvious to just about anyone that has your original password to then easily guess your password on another site. To test my theory, tell me your password on Gmail and then let me see if I can guess what it is here. I can guess that if it's HARD2HACKMYPASSW0rGMA it's probably HARD2HACKMYPASSW0rAND :)
  • Posted via Android Central App
  • saw this earlier and reset my password just in case. I also just received an email from Kickstarter saying as a security measure they revoked any facebook sign-in etc. even if no evidence of unauthorized activity on peoples account.
  • No email to date. Nothing on their home page. Not impressed by Kickstarter in the slightest.
  • I received an email today. Changed my password then deleted my account. Maybe resign up way down the line.
  • So the authorities notified kickstart on the breach? How did the authorities know before kickstart? Posted via Android Central App
  • That is what went through my head too, why did the "authorities" notify Kickstarter? Shouldn't Kickstarter be monitoring their own network for just these kinds of things? Dan Posted via Android Central App
  • I know tin foil hat... Maybe it was just reported backwards. Posted via Android Central App
  • I am always amused by 'No credit card info was taken' in these stories.. I should bloody well hope not.. considering that they use Amazon as their payment processor.. Kickstarter should never be in possession of any of my credit card details.. If they did, it would be a real worry as to why their payment processor would be giving them any details beyond the fact that I paid, and the amount that I paid.