Jump to content

Kickstarter Security Breach - *No Stolen Credit Card Data*

Fetzie

https://www.kickstarter.com/blog/important-kickstarter-security-notice

 

On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.

 

No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts.

 

 

However, some customer data was taken, including encrypted passwords. If you have an account with Kickstarter, change your password as quickly as possible - as well as on any other sites that you used that password or email for and, just in case, keep an eye on your credit card/debit account statements.

Intel i7 5820K (4.5 GHz) | MSI X99A MPower | 32 GB Kingston HyperX Fury 2666MHz | Asus RoG STRIX GTX 1080ti OC | Samsung 951 m.2 nVME 512GB | Crucial MX200 1000GB | Western Digital Caviar Black 2000GB | Noctua NH-D15 | Fractal Define R5 | Seasonic 860 Platinum | Logitech G910 | Sennheiser 599 | Blue Yeti | Logitech G502

 

Nikon D500 | Nikon 300mm f/4 PF  | Nikon 200-500 f/5.6 | Nikon 50mm f/1.8 | Tamron 70-210 f/4 VCII | Sigma 10-20 f/3.5 | Nikon 17-55 f/2.8 | Tamron 90mm F2.8 SP Di VC USD Macro | Neewer 750II

Link to comment
Share on other sites

Link to post
Share on other sites

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

Link to comment
Share on other sites

Link to post
Share on other sites

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

"So many of these companies are leaking..."

Obviously not on purpose...and almost every big company in the world's security have been breached atleast once; this case being less severe but still disheartening.

Selling my parts of my 900D rig for a jacked up Ncase M1. PM me for offers if interested (will take some reasonable-low offers because I'm desperate).

Parts that I'm selling: 900D (1 slot cover broken for stealth DVD drive mod) | Asus Z87 Deluxe | Cooler Master 212 Evo | Corsair 4x2GB black ram @1600mhz | EVGA 1000G2 PSU (2 cables with missing heat shrink) | DVD drive | HP membrane keyboard | Ducky Shine 3 YOTS in blue switches (warranty sticker broken)

Link to comment
Share on other sites

Link to post
Share on other sites

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

probably just a cover up, really the companies are giving our data to the nsa

Case: NZXT Phantom PSU: EVGA G2 650w Motherboard: Asus Z97-Pro (Wifi-AC) CPU: 4690K @4.2ghz/1.2V Cooler: Noctua NH-D15 Ram: Kingston HyperX FURY 16GB 1866mhz GPU: Gigabyte G1 GTX970 Storage: (2x) WD Caviar Blue 1TB, Crucial MX100 256GB SSD, Samsung 840 SSD Wifi: TP Link WDN4800

 

Donkeys are love, Donkeys are life.                    "No answer means no problem!" - Luke 2015

 

Link to comment
Share on other sites

Link to post
Share on other sites

Anyone else getting sick of this constant getting hacked thing? So many of these companies are leaking our private details that its an in joke how public our private details, like our credit card numbers are! The lack of care and attention to complying with the law. The authorities ought to start handing out big fines for data breaches like this to start dissuading companies for lacklustre security.

As much as I believe certain companies have lax security, it is not always the companies to blame.

 

Just consider the factors that can go into making a dynamic website.  You have databases and php (or equivalents like jsp).  php has to connect to the databases in order to check the users...but the problem is a mistake on one php page can compromise the database.  A good youtube video about it actually

 

 

Now the other problem is php can be vulnerable too, and the apache server that executes the php can be vulnerable.  Just look at any software device, you are constantly getting security patches.  The problem is it isn't always possible to run the most up to date software (in cases where some updates can break code/uses)....so security patches need to be verified before being run....and sometimes they are hit with vulnerabilities that just haven't been patched yet in their underlying software.

 

On top of things which aren't in their control, you have the actual php writing...preventing things such as cross site scripting and such.  So I am not overly surprised that more information is being leaked, but I am not about the fully drop all the blame on the companies.

0b10111010 10101101 11110000 00001101

Link to comment
Share on other sites

Link to post
Share on other sites

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

Link to comment
Share on other sites

Link to post
Share on other sites

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

All that plain text xD

Console optimisations and how they will effect you | The difference between AMD cores and Intel cores | Memory Bus size and how it effects your VRAM usage |
How much vram do you actually need? | APUs and the future of processing | Projects: SO - here

Intel i7 5820l @ with Corsair H110 | 32GB DDR4 RAM @ 1600Mhz | XFX Radeon R9 290 @ 1.2Ghz | Corsair 600Q | Corsair TX650 | Probably too much corsair but meh should have had a Corsair SSD and RAM | 1.3TB HDD Space | Sennheiser HD598 | Beyerdynamic Custom One Pro | Blue Snowball

Link to comment
Share on other sites

Link to post
Share on other sites

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

 

True, but if it is possible to link an email address to another compromised website, then that encrypted password isn't nearly as secure. Especially if (or rather because) passwords are shared across multiple websites (which happens so often).

Intel i7 5820K (4.5 GHz) | MSI X99A MPower | 32 GB Kingston HyperX Fury 2666MHz | Asus RoG STRIX GTX 1080ti OC | Samsung 951 m.2 nVME 512GB | Crucial MX200 1000GB | Western Digital Caviar Black 2000GB | Noctua NH-D15 | Fractal Define R5 | Seasonic 860 Platinum | Logitech G910 | Sennheiser 599 | Blue Yeti | Logitech G502

 

Nikon D500 | Nikon 300mm f/4 PF  | Nikon 200-500 f/5.6 | Nikon 50mm f/1.8 | Tamron 70-210 f/4 VCII | Sigma 10-20 f/3.5 | Nikon 17-55 f/2.8 | Tamron 90mm F2.8 SP Di VC USD Macro | Neewer 750II

Link to comment
Share on other sites

Link to post
Share on other sites

I have and use my main email as well as two simple passwords that if discovered my whole life could fail. Just because I'm too lazy to make different passwords and check my notepad for the password incase I forgot it(which would probably all the time). Oh well, I really should make different passwords

Selling my parts of my 900D rig for a jacked up Ncase M1. PM me for offers if interested (will take some reasonable-low offers because I'm desperate).

Parts that I'm selling: 900D (1 slot cover broken for stealth DVD drive mod) | Asus Z87 Deluxe | Cooler Master 212 Evo | Corsair 4x2GB black ram @1600mhz | EVGA 1000G2 PSU (2 cables with missing heat shrink) | DVD drive | HP membrane keyboard | Ducky Shine 3 YOTS in blue switches (warranty sticker broken)

Link to comment
Share on other sites

Link to post
Share on other sites

The passwords were salted so it's not really a big deal. At least KickStarter seems like they understand how to store passwords properly (looking at you Adobe).

 

They were not. They came clean on Hacker news that the grand majority of the passwords were stored unsalted SHA1. They moved to salted about 6 months ago but never told anyone and they couldn't update the passwords with Salt without the users doing so. They never announced a big password change. You should assume your password was stored plain text because SHA1 is very very weak and it was not salted.

Link to comment
Share on other sites

Link to post
Share on other sites

They were not. They came clean on Hacker news that the grand majority of the passwords were stored unsalted SHA1. They moved to salted about 6 months ago but never told anyone and they couldn't update the passwords with Salt without the users doing so. They never announced a big password change. You should assume your password was stored plain text because SHA1 is very very weak and it was not salted.

I looked up that post on hacker news and it seems pretty legit. It says that they ran old passwords through SHA1 multiple times though, which will hopefully make rainbow tables pretty much useless for even the old passwords (and with the newer passwords they are completely useless).

I am still pretty pleased with how Kickstarter handles passwords. SHA-1 is pretty obsolete these days but it's still not "very very weak", especially not if they ran multiple passes of it like they claimed.

 

I would like to see more websites be open about how they store passwords.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×