Kickstarter hacked, user data stolen

Join Our Community of Science Lovers!

Hackers hit crowd-funding site Kickstarter and made off with user information, the site said Saturday.

Though no credit card information was taken, the site said, attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords.

"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," the site said in a blog post, adding that "as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password."

On supporting science journalism

If you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.

The site said law enforcement told Kickstarter of the breach on Wednesday night and that the company "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system." The site also said "no credit card data of any kind was accessed by hackers" and that "there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts."

You can read additional information about resetting a password here. We've contacted Kickstarter for more info on the attacks and will update this post when we hear back.

Update, 3:05 p.m. PTKickstarter has added an FAQ to its earlier post. Here it is:

How were passwords encrypted?

Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.
Does Kickstarter store credit card data?

Kickstarter does not store full credit card numbers. For pledges to projects outside of the US, we store the last four digits and expiration dates for credit cards. None of this data was in any way accessed.
If Kickstarter was notified Wednesday night, why were people notified on Saturday?

We immediately closed the breach and notified everyone as soon we had thoroughly investigated the situation.
Will Kickstarter work with the two people whose accounts were compromised?

Yes. We have reached out to them and have secured their accounts.
I use Facebook to log in to Kickstarter. Is my login compromised?

No. As a precaution we reset all Facebook login credentials. Facebook users can simply reconnect when they come to Kickstarter.

It’s Time to Stand Up for Science

If you enjoyed this article, I’d like to ask for your support. Scientific American has served as an advocate for science and industry for 180 years, and right now may be the most critical moment in that two-century history.

I’ve been a Scientific American subscriber since I was 12 years old, and it helped shape the way I look at the world. SciAm always educates and delights me, and inspires a sense of awe for our vast, beautiful universe. I hope it does that for you, too.

If you subscribe to Scientific American, you help ensure that our coverage is centered on meaningful research and discovery; that we have the resources to report on the decisions that threaten labs across the U.S.; and that we support both budding and working scientists at a time when the value of science itself too often goes unrecognized.

In return, you get essential news, captivating podcasts, brilliant infographics, can't-miss newsletters, must-watch videos, challenging games, and the science world's best writing and reporting. You can even gift someone a subscription.

There has never been a more important time for us to stand up and show why science matters. I hope you’ll support us in that mission.

Thank you,

David M. Ewalt, Editor in Chief, Scientific American