Kickstarter Hacked, Customer Data Stolen

[CommanderFrank]

Kickstarter disclosed today that its security was breached this week and an unknown amount of customer data was stolen. The breach was fixed quickly, but the company recommends that all accounts change their passwords as a precaution.

The company learned of the breach on Wednesday from law enforcement officials.

 

[Spazturtle]

Bloody fools were using SHA1 for the passwords. Might as well be flipping plaintext.

They have switched to bcrypt now.

 

[samborarocks]

Saw this earlier, already changed my password..... Didn't know they were using SHA1..... <sigh>.....

 

[octoberasian]

I changed my password, too. Thank goodness for KeePass!

 

[Runningflame570]

Slow hash algorithms and multi-factor authentication are the only things that are going to stop this, until then fucking everything is going to keep getting hacked because there is too much profit in it.

 

[Spazturtle]

I think every website should have to publish what hash they are using so people can avoid ones that use weak and old ones.

 

[TechLarry]

Law enforcement informed them?

 

[Spazturtle]

Law enforcement informed them?

They didn't have any logging on their end so they couldn't see that somebody was accessing their system.

Basically their security was shit.

 

[Knil]

This isn't going to help my Kickstarter. Jeez hackers wait till my campaign is over!

 

[Falling Anvil]

Welp, that's my PW changed.

 

[ecorley]

ugh

 

[caddys83]

Never had kick starter account anyway. Whew!

 

[Cobalt35]

Interested to know how law enforcement found out

 

[LonerVamp]

Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.

Just to help inform those who have issues reading.

 

[LonerVamp]

They didn't have any logging on their end so they couldn't see that somebody was accessing their system.

Basically their security was shit.

I'd hate to see the logs every time someone accesses their system.

 

[Exavior]

I'd hate to see the logs every time someone accesses their system.

Normally you don't look at who logged into the system through normal means, you look at who accessed the system through ways that a system admin would be logging into the system. you look for commands that normally shouldn't be ran or if they do you want to know about it.

you want to know if somebody dumps a copy of the database. Even if you are doing a backup yourself you would like to know ever time that is ran that way if you notice a time it is ran when nobody should have been doing something you know you might have a breach. If somebody logs into SSH on a server at 1am from Asia and you only have American employees and are normally only in the servers between 8 am to 5 pm unless there is an issue you know somebody got in that shouldn't have...

 

[pothb]

Just to help inform those who have issues reading.

That...... tells everyone very very little. When is "older" and when did the new one kick in?

 

[CreepyUncleGoogle]

Yaay Crapstarter FTW!

 

[sfsuphysics]

Shit I don't remember if I ever set up an account... there have been times I wanted to donate but haven't.

Either way chalk it up to making it easier for the consumer to give money by storing all their information online... YAY!