Kickstarter Hacked, But No Credit Card Data Stolen

February 17, 2014 - GamePolitics Staff

Over the weekend Kickstarter revealed that it had been hacked earlier in the week and that, while financial information was not stolen from the site, other user information may have been compromised. The country's largest and most prominent crowd-funding site told users that attackers made off with usernames, e-mail addresses, mailing addresses, phone numbers, and encrypted passwords.

"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one," the site said in a blog post, noting that "as a precaution, we strongly recommend that you create a new password for your Kickstarter account, and other accounts where you use this password."

The security breach happened on the evening of Wednesday, February 12, according to what law enforcement tells the site. After learning of the breach, Kickstarter claims that it "immediately closed the security breach and began strengthening security measures throughout the Kickstarter system." The company also stated that "no credit card data of any kind was accessed by hackers" and that "there is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts."

The company closed by apologizing to its users, says that it was "incredibly sorry that this happened."

The blog post revealing this news, along with a FAQ on how to change your password and other important information, can be found here.

Source: CNET


Comments

Re: Kickstarter Hacked, But No Credit Card Data Stolen

Now's a good time to remind people about password security. My primer:

Most passwords get cracked from encrypted files exactly like this leak - plaintext passwords are almost never cracked. Hackers then use the encryption algorithm on various test passwords to see what encrypted strings they match up to. They typically go in the order:

1. Most commonly used passwords (Things like "password" or "1234")

2. Dictionary attack - using every word in the dictionary

3. Modified dictionary attack - as above, but adding numbers to the end or replacing letters with numbers ("I" becomes "1", for instance).

The above three are all very quick, and get a huge number of passwords. If the hackers have time, they'll then go onto:

4. Alphabetical brute force - try every combination of letters up to a certain length

5. Alphanumerical brute force - letters and numbers

6. Alphanumerisymbolical brute force - letters, numbers, and symbols

Your password should be in category 6 if allowed by the site (not all allow symbols), and otherwise 5. It should also be as long as allowed, as there are fewer possible short passwords than long ones. But length limits vary from site to site, and if you insist on only using one password across sites, make it 8 characters long (I've never seen a maximum length shorter than this).

But even if you do everything right, it's still possible (through a site that uses poor/no encryption, or just bad luck) your password could still get cracked. If this happens, the cracker will usually try the same username/password combination on other sites. So, ideally you'll have a different category 6 password for every site.

At this point though, human memory starts getting in the way. You can memorize one 8-digit string with just a bit of practice, and perhaps up to ten different strings if necessary, but these days we use passwords on sites to do everything from banking to posting password advice on blogs. You can't be expected to memorize that many passwords. So what to do? Well, there are a couple options:

A. Use a program on your computer to handle this for you, such as 1Pass. The drawback to this is that you won't easily be able to log into your accounts from another computer. Aside from that, it's about as secure as possible.

B. Use a "password system." Make five or six digits of your password completely random, covering upper- and lower-case letters, numbers, and symbols, and have the remaining digits be unique to each site. Use the first letters that come on instinct.

As an example: Start with a hard-to-crack string:  P)t3* for instance (but DO NOT use this one - it's been published, so it's now insecure). Now, add in variable digits to it. I'll mark them by Xs: XPX)t3X*. Then, take the first letters that come to you on instinct for a site. For GamePolitics.com, perhaps GPc, and put those letters in place of the Xs (maybe backwards, maybe a different order). You'll get something like cPP)t3G* for this site. And your Amazon.com password might be cPz)t3A*.

The drawback to this method is that a savvy cracker still might be able to figure out your system, but most won't bother to try. This method isn't common enough that it's a concern at this stage, though this may change in the future.

Re: Kickstarter Hacked, But No Credit Card Data Stolen

What pisses me off is that it looks like names, phone numbers and e-mails were leaked. It has been shown time and again how easy you can start using those to leverage access to various other services, each time gaining slightly more information. And, I'm sorry, I can't really change my name, phone number or main e-mail every time they screw up.

 
Forgot your password?
Username :
Password :
 

Be Heard - Contact Your Politician