Kickstarter Security Breach - *No Stolen Credit Card Data*

[Fetzie]

https://www.kickstarter.com/blog/important-kickstarter-security-notice

 

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

 

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

 

 

However, some customer data was taken, including encrypted passwords. If you have an account with Kickstarter, change your password as quickly as possible - as well as on any other sites that you used that password or email for and, just in case, keep an eye on your credit card/debit account statements.

[BrightCandle]

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

[geogga]

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

"So many of these companies are leaking..."

Obviously not on purpose...and almost every big company in the world's security have been breached atleast once; this case being less severe but still disheartening.

[Snickerzz]

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

probably just a cover up, really the companies are giving our data to the nsa

[WanderingFool]

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

As much as I believe certain companies have lax security, it is not always the companies to blame.

 

Just consider the factors that can go into making a dynamic website.  You have databases and php (or equivalents like jsp).  php has to connect to the databases in order to check the users...but the problem is a mistake on one php page can compromise the database.  A good youtube video about it actually

 

 

Now the other problem is php can be vulnerable too, and the apache server that executes the php can be vulnerable.  Just look at any software device, you are constantly getting security patches.  The problem is it isn't always possible to run the most up to date software (in cases where some updates can break code/uses)....so security patches need to be verified before being run....and sometimes they are hit with vulnerabilities that just haven't been patched yet in their underlying software.

 

On top of things which aren't in their control, you have the actual php writing...preventing things such as cross site scripting and such.  So I am not overly surprised that more information is being leaked, but I am not about the fully drop all the blame on the companies.

[LAwLz]

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

[Kuzma]

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

All that plain text

[Fetzie]

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

 

True, but if it is possible to link an email address to another compromised website, then that encrypted password isn't nearly as secure. Especially if (or rather because) passwords are shared across multiple websites (which happens so often).

[geogga]

I have and use my main email as well as two simple passwords that if discovered my whole life could fail. Just because I'm too lazy to make different passwords and check my notepad for the password incase I forgot it(which would probably all the time). Oh well, I really should make different passwords

[BrightCandle]

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

 

They were not. They came clean on Hacker news that the grand majority of the passwords were stored unsalted SHA1. They moved to salted about 6 months ago but never told anyone and they couldn't update the passwords with Salt without the users doing so. They never announced a big password change. You should assume your password was stored plain text because SHA1 is very very weak and it was not salted.

[LAwLz]

They were not. They came clean on Hacker news that the grand majority of the passwords were stored unsalted SHA1. They moved to salted about 6 months ago but never told anyone and they couldn't update the passwords with Salt without the users doing so. They never announced a big password change. You should assume your password was stored plain text because SHA1 is very very weak and it was not salted.

I looked up that post on hacker news and it seems pretty legit. It says that they ran old passwords through SHA1 multiple times though, which will hopefully make rainbow tables pretty much useless for even the old passwords (and with the newer passwords they are completely useless).

I am still pretty pleased with how Kickstarter handles passwords. SHA-1 is pretty obsolete these days but it's still not "very very weak", especially not if they ran multiple passes of it like they claimed.

 

I would like to see more websites be open about how they store passwords.