Security breach at Kickstarter

This email arrived today from Kickstarter…

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.

To change your password, log in to your account at and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.

We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.

Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at

Thank you,

Yancey Strickler Kickstarter CEO

Pretty huge. Here’s a link to a Kickstarter blog post that basically mirrors the email that went out.

  • James Hughes

    I received this email as well. I used my least secure password for this site though. So all anyone would get is more useless info. Still disappointing.

  • Odi Kosmatos

    The days are numbered for entities like Kickstarter and others which require us to trust them and their employees with unencrypted personal information and/or payment information, passwords, etc. We–computer scientists–have finally solved the byzantine general’s problem with the blockchain (introduced as part of the bitcoin protocol, you may have heard of it, perhaps in a mocking or overly dramatic post on The Loop, Daring Fireball, Parislemon). Now possible, and soon in our hands, will be distributed autonomous apps/organizations. Watch this talk I attended on the Open Transaction system by Chris Odom, and you’ll see why. Or find out about another system in beta called Ethereum. Chris:

    An idea whose time has come…

    • Moeskido

      Small print: Claims of Bitcoin’s effectiveness as a panacea by individuals heavily invested in it should probably be interpreted with caution.

      • Odi Kosmatos

        You never miss a chance to comment on anything bitcoin-related that I post, cute.

      • Odi Kosmatos

        Oh, lol, a thought just occurred to me — I’m even more heavily invested in Apple. You should make sure my friends and Twitter followers interpret my iOS and Mac related comments with caution too!

        • Moeskido

          Not really. Since the first iPod and iMac took off, Apple has become a proven success with known capabilities. Bitcoin appears to require faithful acolytes to preach about it everywhere, regardless of context.

          • Odi Kosmatos

            Before the iPod and iMac took off, what was it like? Oh, wait…

    • Sigivald

      … except that Kickstarter had the passwords encrypted, and what was stolen were hashes.

      Can you tell me exactly how Open Transaction is going to authenticate me to, e.g. Kickstarter, and based on what, exactly? And in a way that won’t expose a hash to attacks somehow, or completely screw me out of my online identity if I lose (or expose!) a private key?

      I’d rather have a bunch of passwords than a single point of complete compromise.

      (Without having to watch a YouTube video, which are always information-sparse compared to text…)

    • can you link to an overly-dramtic post on Daring Fireball about this? or are you just making things up? hard to tell.

      • Odi Kosmatos

        I tried the DF Archives but only larger posts are shown. The last one I remember (and there’s more than one) is the bitcoin meet-up sexism post. Parislemon’s one I remember (and there’s more than one) is about bitcoins and tulips. Fucking tulips, the most tired bitcoin joke of all. Then The Loop has posted a couple of negative ones, no smarter. Yay, what now?

  • Moeskido

    I found it disappointing that this email went out without Kickstarter having notified anyone about the issue on either Facebook or Twitter. Which meant that my first suspicion was that the email was a phishing attempt.

    Without linking from the email, I looked on Kickstarter’s site, but could find no mention of the problem on the home page. Good thing my wife checked their blog. Passwords were changed.

  • The bit about changing shared passwords suggests the passwords weren’t properly salted. Unfortunate.

    • Sigivald

      These days, salting doesn’t help much.

      The target space just isn’t big enough to prevent brute-forcing all of the combinations – salts make rainbow tables big and unwieldy, but modern hardware can overcome that given a little time… and that problem’s only going to get worse.

      I bet the passwords were salted up to “normal standards” – salting just doesn’t help against someone willing to either use a botnet full of machines with deliciously fast GPUs, or to rent some S3 server time or the like.

      • Good point. And I hope so. Being ultimately crackable is one thing (and I completely agree with you there), but them not implementing that protection at all would be something else. 🙂

  • Sigivald

    This sort of thing always makes me think that password hashes (and stored CC information, if any) should be stored in a separate database on a separate machine, heavily firewalled and only talking to the “main” machines via a special protocol – and only to the internal IP addresses authorized.

    The idea being that that way simply getting a DB-sucking exploit, which is reasonably common, won’t reveal ANYTHING of significant import – to even poke at the machine with the real data you’d need to get root access on the edge server, which in my experience watching these attacks is far, far less common than just getting access to DB contents.