Time For New Passwords: Kickstarter Hacked

By Adam Smith on February 16th, 2014 at 11:08 am.

A quick public service announcement for those of our readers who have a Kickstarter account. If you’re a registered user of the crowdfunding site, an email should have arrived informing of a hack that occurred on Wednesday night. Just in case that information is nestling in a spam folder or a seldom-studied account, I thought it best to share the details that I received late last night. As far as hacks go it doesn’t sound like a particularly bad one, with no credit card information accessed, but Kickstarter are still recommending that users change their passwords.

To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password.

More below.

I’m having a strategic Sunday, catching up on a couple of games that slipped through the net as last year came to a hectic end. That said, I’ll keep this brief – here’s the full message from Kickstarter.

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers’ data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.

While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.

As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.

To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.

We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.

Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at accountsecurity@kickstarter.com.

I’ve already created a new password for myself, made up of three capital letters, sixteen lowercase letters, six numbers and a very specific illustration of a small man clothed entirely in candy floss. I strongly recommend that you choose something similar.

, , .

57 Comments »

Top comments

  1. Gnoupi says:

    Showing once again that the only safe way is to have disposable passwords which are used only on one site each.

    The repeated hacks of last year already pushed me to move to keepass ( http://keepass.info/), and I’m quite glad I did. Only had to regenerate a password for Kickstarter, saved, and good to go for the next time.

  1. Nevard says:

    That sounds like a strong password, can you tell me what it is so I can use it too?

    • Fallout says:

      Dont forget to post you username as well … no way of knowing if a password is safe without the username!

    • Premium User Badge

      Gap Gen says:

      If Adam also used it on the Adobe site then sure you can.

    • Trut1928 says:

      my friend’s step-aunt makes $84 hourly on the laptop . She has been out of work for 7 months but last month her payment was $14929 just working on the laptop for a few hours. look at this website…..

      >>>>>>>>>>> http://www.Jobs84.com

  2. Gnoupi says:

    Showing once again that the only safe way is to have disposable passwords which are used only on one site each.

    The repeated hacks of last year already pushed me to move to keepass ( http://keepass.info/), and I’m quite glad I did. Only had to regenerate a password for Kickstarter, saved, and good to go for the next time.

    • LionsPhil says:

      Yup. There’s a reason to keep banging on about unique passwords for everything.

    • Cooper says:

      Yep, just done the same thing with my keepass database.

      Incredibly easy to change a password for one site and as they are all unique, no pissing about trying to remember if you used the same password for other sites.

    • Premium User Badge

      bills6693 says:

      I guess my main problem with this is never being able to remember my passwords myself. If I’m on my laptop then fine, but if I’m on another computer then it’ll mean I can’t access any of my online accounts. And I guess if you only ever use one computer its great but with me using public computers a lot too, I can’t have random strings of letters and numbers.

      My passwords are generally unique, but they’re all ‘the same’ too, in that they’re all the same combination of numbers and something context-sensitive to the site being accessed. So if you ahd an actual person trying to access my accounts, once they know the number combo, they could probably get into most sites of mine in 2-3 attempts by guessing the other half.

      • Grygus says:

        The KeePass database is very small. You can store it on a USB stick and solve the portability problem; it’s a pretty good idea to have a backup anyway.

      • Gnoupi says:

        If you use an encrypted password database (like keepass, but there are others), you don’t have to remember them, or type them, for that matter. You have only one to remember to unlock the DB.

        As for having it on more than one computer, you can use an online cloud save (dropbox, google drive, etc) to keep the database synced between the different personal computers you use. If you are often on public computers, you have options. One could be to keep your database on a thumb drive. The other would be to use a smartphone and keep it there (using minikeepass, for example). This last option has the advantage of not having your database file “touching” a computer you don’t trust, but you would have to rewrite the passwords yourself, which can be a pain depending on the type you generated.

        • Arkanos says:

          What sounds more secure to you, exactly?

          Generating one complex, long, yet easy to remember password and using it on all sites…

          Or generating a password for each website and putting them all in an encrypted database* that likely says what website each password is for, and is backed up digitally, whether it be in “the cloud”** or locally***.

          One of these things is not like the other. One of them can only be broken with a crowbar and pliers****. The password-manager database can be broken by a relatively well coded program. Your brain is a hundred trillion times more secure than than the best encryption system because no one can read your mind.

          *That can be brute-force hacked easily.
          **Easy to steal/hack
          ***Trojans WILL seek this data out in the future, just like they try to steal bitcoin wallet-files now.
          ****http://xkcd.com/538/

          • Premium User Badge

            thedosbox says:

            What sounds more secure to you, exactly? Generating one complex, long, yet easy to remember password and using it on all sites…

            That approach leaves you open to one site getting compromised, and therefore all your accounts being compromised. Given what happened here, that’s clearly not a good idea.

          • LionsPhil says:

            You seriously overestimate the human brain. It’s a terrible source of entropy and a terrible keystore.

            You also seriously underestimate how terrible it is to use the same password on all sites. On a completely unrelated note, hey, sign up for my forum on http://totallytrustworthy.notascam.example.com/, and I’ll give you a beta access key for Half-Life 3!

          • Arkanos says:

            A lower comment I’ve made explains why trojans absolutely will target password manager programs, but also, with the exception of a password-stealing website, which is only a risk to the kind of person who wouldn’t bother with any of this, a long enough password doesn’t get cracked as long as the website doesn’t store it in plaintext. No big website lacks password encryption and most sites too small to care use automated tools which will encrypt the password well enough, or don’t even need a password.

            There are two sides to a password and as long as one side is secure, the password won’t get cracked. The hash can be spilled all over the planet and the password will stay secure if a good implementation was chosen. SHA256, for example, when paired with a good password can have the hash value known to all and still not give up the password even to the most concentrated brute-force attack. But again, I am talking about a good password. Like so: http://xkcd.com/936/

          • InternetBatman says:

            Your website didn’t go anywhere; I was totally going to sign up.

            That said, the xkcd is a bit old. Computers have gotten to the point where it’s easier for them to search every possible combination of every possible word (which caps at 100k-ish) in your password than do it all by random character (which is larger than that very quickly). So a random symbol is not a bad idea.

          • Premium User Badge

            Continuity says:

            yeah i’ve been using a combination of a random word sentence and small sequence of random characters for anything that needs strong protection for over a decade. Say, 6 random characters that you can write down somewhere and a sentence that you memorise.. very strong and relatively easy to remember.

          • jalf says:

            @Arkanos: I was going to blockquote bits of your post and respond to them bit by bit, but literaly *none* of what you’re saying is accurate.

            Assuming your password database is encrypted with a sane form of encryption, “a relatively well coded program” cannot decrypt it. That is kind of the point in encryption. Do you think people encrypt data just to moderately inconvenience criminals? People use encryption because it is actually secure.

            a long enough password doesn’t get cracked as long as the website doesn’t store it in plaintext. No big website lacks password encryption

            That is blatantly untrue. Countless websites do. And many, many others use very weak hashing algorithms, and/or fail to salt passwords. Heck, you are commenting on a post describing kickstarter passwords being leaked, and you’re claiming that we don’t need to worry about our passwords being leaked by websites?

            and most sites too small to care use automated tools which will encrypt the password well enough, or don’t even need a password.

            No. Most small sites *at best* use md5 or something to hash your password, which is truly trivial for an attacker to crack.

            There are two sides to a password and as long as one side is secure, the password won’t get cracked. The hash can be spilled all over the planet and the password will stay secure if a good implementation was chosen. SHA256, for example, when paired with a good password can have the hash value known to all and still not give up the password even to the most concentrated brute-force attack. But again, I am talking about a good password. Like so: http://xkcd.com/936/

            No, SHA256 is a terrible password hashing algorithm, because it is not slow enough. It allows an attacker a near-infinite number of guesses. Sure, if your password is absurdly long and complex *and* you have never used it, or a similar password, on other websites (from which hackers could get it and add to their dictionary), then it is *probably* safe.

            But really, these days, the only way in which a password can be secure is if it is *globally* unique. If you only use it for *one* site (so that if it gets leaked, it can’t be used anywhere else), and if no one else on the planet uses the same password. Oh, and it has to be very long and have absolutely no pattern or logic to it.

            If all your passwords satisfy those requirements, then sure, you won’t need a password manager. But remember, you need to come up with one such password for *every* site you visit. No exceptions. Otherwise, the security is pretty much nonexistent.

        • Press X to Gary Busey says:

          I use unique passwords but in an old-school analog database – a small paper notebook. It’s portable, has no dependancies and I can (in theory) punch anyone trying to steal it in the mouth.

          • LionsPhil says:

            Physical isolation is the best security.

          • vivlo says:

            Even better, if you know you can’t resist your agressor, you could still eat the paper ! So you would lose them, but your agressor wouldn’t get them neither.

          • Warduke says:

            or you could eat your aggressor.. problem solved

          • jalf says:

            And if you coat the paper in some kind of lethal toxin, you can ensure that once you’ve eaten the papers, they can’t get the passwords from you through torture either!

            Foolproof!

          • Press X to Gary Busey says:

            Ingenious! And if the threat is not too serious the pages can be used to give the attacker poisonous paper cuts!

      • Hahaha says:

        Untill you get infected put in your pass to access keepass and oooops all your pass/users are gone

        • Cooper says:

          Except that the chances of my specific computer being targeted by a keylogger which -also- seeks out my keepass database and uploads that (let alone seeking out the key file used to unlock it) are tiny compared to the risks of using the same password multiple times through vulnerable sites.

          Individuals are rarely singled out for password-recording infection beyond keyloggers; which will fuck you up more if you do not have a password database. You can’t meaningfully keylog Ctrl + P, Ctrl + V…

          If someone is going to the trouble to gain a copy of your password database, record that password database password and seek out your key file then you have a dedicated hacker singling you out; this doesn’t happen via automation. Unless you are a public figure or up to something that attracts the attention of a hacker, none of us will ever be singled out in that way.

          • Hahaha says:

            Firstly old but lol – http://threatpost.com/researcher-warns-security-hole-keepass-password-manager-062712/76738

            Secondly what do you think happens when you land on a page infected with say the black hole exploit kit?

          • Arkanos says:

            The last time a trojan was made to specifically target a computer, it was made by the NSA. What real criminals do is they make a virus to target the broadest range of vulnerabilities they can hit, and they go after the best attack vectors. A database of passwords is a FANTASTIC source of information for further criminal exploits. Imagine, if you will, that 10% of infected users might use a password manager like KeePass. Now imagine that 10% of those users(1% of all infected) don’t even encrypt it… and another 50%(5% of total) only have the most basic, easily brute-forced, of passwords on it…

            And then imagine 1.5 million people are infected with this trojan. That makes for 90K(1%+5%) targets which an easy to retrieve and read database of absolutely every password they have, possibly if not likely including the sites they use them for.

            Or they could just have the trojan log all keystrokes, as has become super-standard now. Trojans are made to go after the largest exploitable resource: Human stupidity.

            That means all password manager programs are an easy target, now.

          • khulat says:

            If you are infected by a trojan that logs all keypresses you are basically done for anyway. Because it can just as easily log all your passwords (or your one very long password that you use everywhere) and the sites that they are used with.
            So it’s a bit of a stretch to say a Password Safe is making you less secure because of that.

            But the real problem is that we still rely on Passwords in the first place. They are not a good system.
            You can for example use some of the online Password Safes with an authenticator like the Yubikey, which makes it harder to get at all the saved Data, because you not only need something you know (the password) but also something you have (the Yubikey in this case, or another authenticator).

            If your local security is compromised then nothing will help you.

          • Hahaha says:

            You are at more risk compared to say a physical list in a safe (a real one be that big or built in to a wall/floor, not one you can just pick up and walk away) that would need you to be specifically targerted to obtain but then that is also banking on the human making no errors and if the rig gets infected it makes any password storage moot.

            two factor has been broken in the past so it’s not really secure.

      • Cooper says:

        There are decent mobile version for KeePass. I have it on my iPod touch which means I have portable access. I also have portable KeePass on a small USB on my keyring. It’s very easy to keep multiple copies synched and accessible on your own computers and elsewhere (and, in terms of keyloggers and the like, it’s much, much safer to load your KeePass database from a USB and copy-paste your passwords from that on a computer you are not sure is clean.)

      • purdz says:

        Lastpass and google authenticator or a yubikey with a few one time passwords also is all you need.
        With 2 step auth like google authenticator or a yubikey anyone who gets your master password still will need physical access to your phone and or your yubikey to get into your account. Or you can use their passgrid too which means you carry round a grid of letters in your pocket and they ask you for certain characters as well as your password. Very secure I think.

        Generate a few one time passwords so when you access lastpass on a public computer you’re using a password that wont be able to be used again and any trojan/keylogger will be stuffed.

        Lastpass on your phone too if you want to just type the password out for a site on a public computer so your main key database doesn’t go anywhere near it.

    • Premium User Badge

      Carra says:

      I’ve started using lastpass myself, it auto generates passwords and stores them online.

      It is however, putting a lot of trust in lastpass.

      • purdz says:

        Enable 2 step authentication if you can and you’ll have no problems. Nothing is transmitted between yourself and Lastpass un encrypted so even if they get access to the Lastpass servers they have little to no hope of cracking your data.

    • mouton says:

      Who uses same passwords for multiple sites anyway? Well, I do, but only for sites that I don’t care about. For anything a all important, kastom password every time.

  3. int says:

    It’s apparently very hard for companies to stay un-hacked.

    • Grygus says:

      If it can be accessed, it can be hacked. That’s just a fact of life.

  4. LionsPhil says:

    …and a very specific illustration of a small man clothed entirely in candy floss.

    It’s amazing what you can find lurking in the dark corners of Unicode.

    • Premium User Badge

      Continuity says:

      I think the allusion was to using an actual image. Some encryption systems i’ve come across can use an image as a “password”, usually as part of a multi factor authentication.

  5. DrMcCoy says:

    So how were the passwords stored? Unsalted MD5? Or bcrypt? Kinda important to know if the hashes were leaked…

    • DrMcCoy says:

      Ah, okay, their blog says:

      Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt

      That sounds reasonable.

      • KDR_11k says:

        Isn’t using a hashing algorithm multiple times a bad idea?

        • LionsPhil says:

          No, you can do it to increase the time it takes to compute a hash, thus slowing down brute-force attacks.

          (In fact that blog post mentions they’re using bcrypt, which is specifically designed to be slow by doing multiple hashing iterations properly.)

        • aoanla says:

          No, it increases security (since password hash cracking depends on trying lots of potential passwords to see which ones hash to the password hash, if you’re actually hashing more than once, a hacker has to try not just “words that hash to the stored value with one application of sha1″ but also “words that hash to the stored value with 2 applications of sha1″ (and so on, to N applications, if they don’t know how many applications the site has used).) Obviously, just repeatedly dumbly applying sha1 is bad (since each application reduces the entropy in the system), but there are a lot of algorithms that simply readd some entropy in each loop to prevent that problem.
          I *assume* that when they say “multiple applications of sha1″, they mean “multiple applications of sha1, with entropy increasing steps”, as that’s how a lot of password hashing tools work.

          • TechnicalBen says:

            Thanks for the info. I’m guessing in the “older days” certain ciphers applied multiple times was pointless as you can shortcut the solution and cut out the scrambling in the middle.
            http://en.wikipedia.org/wiki/The_Alphabet_Cipher
            But as encryption uses certain calculations, unscrambling them requires you to apply it the same number of times? Though as mentioned above, this does not apply to all types of calculation, but does to some.

          • aoanla says:

            So, the main difference is that sha1 is a “hashing” algorithm, not an encryption or encoding algorithm. Hashing algorithms map large number of inputs to a small number of outputs, but (ideally) make similar inputs map to very different outputs. They are also usually very hard to reverse (which is why they’re useful in cryptography). I can’t think of a commonly used hashing algorithm which is idempotent, and I’m not sure if it’s actually possible, given the restrictions on the functions, for a good hashing algorithm to be idempotent, or weak in that sense. By definition, a hash cannot be “self inverse” (in the way that rot13 is) because it maps more than one input to a given hash.
            Password “checking” involves hashing the incoming password and comparing that with the hash in the database – because there are many possible values that map to the same hash, technically you don’t need to guess the actual password, just any of the values that map to that hash, via the precise mechanism that the site uses to generate them.

          • TechnicalBen says:

            Cool. Thanks. I’m logging that word “idempotent” to the correct application there. :)
            I get the underlying aspects. So it’s great to see the real meat of the subject.
            I think the warnings I remember may relate in part to compression (where multiple runs are not going to be of any real benefit). Did computing ever use a ROT method? :P

  6. Premium User Badge

    bglamb says:

    I think there need to be regulations about exactly what data companies can require and store for you. There’s no reason Kickstarter needed my telephone number. The number of times I’ve been asked for that info guarantees that it is no longer secure, and it’s not information that I particularly want public. Sure I can lie, or I can not use these services, but since there is no reason for these companies to ask me for it in the first place, as far as I can tell, I would really welcome some regulation in this area. Otherwise personal info is going to continue to be made available on the black market.

    • PopeRatzo says:

      I think there need to be regulations about exactly what data companies can require and store for you.

      Will never happen. As long as the interests of government and large corporations intersect at the corner of your data and your privacy, we are screwed.

    • Gnoupi says:

      France actually has something for that: http://www.cnil.fr/english/the-cnil/
      Admittedly, it doesn’t hold much power over international websites (or even French ones, for that matter), but that’s something.

    • drinniol says:

      I think they insist on a phone number as it’s something you can point to if your credit card is used fraudulently. Same reason Steam wants a physical address.

  7. MaryDSpence says:

    my buddy’s aunt makes $88 hourly on the internet . She has been without work for 6 months but last month her income was $17652 just working on the internet for a few hours.
    view website,,,,,,,,,,,,,,,,, http://www.Fizzjob.com

  8. P.Funk says:

    Surprised nobody linked this one yet.

    Best password evar, Mr Data?

    • Premium User Badge

      Gap Gen says:

      And now the Russians that bugged the room have the code for all ship functionality. Sweet.

  9. joa says:

    One does not even need to crack any password encryption, one can simply use the birthday problem to guess them. If you have a number of people, it is gauranteed that two of them share the same birthday. Therefore, of the many in the database, it is gauranteed that at least two, and probably many more than two, share the same password encryption. So if you compare the password encryption, you can determine what encryption function was used and then reverse it.