×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Kickstarter Security Breach Exposes Customer Data

Soulskill posted about 2 months ago | from the if-only-there-were-a-way-to-crowdfund-better-security-precautions dept.

Security 63

New submitter jbov writes "Kickstarter members received an e-mail at about 16:40 EST notifying them of a security breach. According to the e-mail, information including user names, encrypted passwords, mailing addresses, and phone numbers may have been revealed. Kickstarter members were urged to change their passwords. 'Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.' Kickstarter claims that credit card information was not accessed during the breach. According to Kickstarter, law enforcement officials contacted the company on Wednesday night and alerted them that 'hackers had sought and gained unauthorized access to some of our customers' data.' Upon learning of the breach, Kickstarter closed the security breach and began strengthening security measures."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

63 comments

Happy Saturday from The Golden Girls! (-1)

Anonymous Coward | about 2 months ago | (#46257931)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

The real reason (0)

Anonymous Coward | about 2 months ago | (#46257951)

I guess Kickstarter failed to use APK's hosts file.

Re:The real reason (0)

Anonymous Coward | about 2 months ago | (#46258033)

You haven't used the internet until you've used it with APK's hosts file.

Re:The real reason (-1, Troll)

Anonymous Coward | about 2 months ago | (#46258067)

You haven't lived until you have masterbated to Bea Arthur.

Re: The real reason (0)

Anonymous Coward | about 2 months ago | (#46258143)

Pfft. I was goin to mvps.org before it was cool.

Cosmonaut (0)

Anonymous Coward | about 2 months ago | (#46259343)

...I thought the lyrics was "you're a pal and a confidant"

They've been a target of CONservatives... (-1)

Anonymous Coward | about 2 months ago | (#46258019)

for several years no. The Republicans hate the post-corporate world in which we now live. Expect them to continue with more ridiculous attacks on Kickstarter and their investors.

Re:They've been a target of CONservatives... (0)

Anonymous Coward | about 2 months ago | (#46258039)

I'd say your scenario is... unlikely.

Re:They've been a target of CONservatives... (0)

Anonymous Coward | about 2 months ago | (#46258105)

Considering they have been doing exactly what the OP describes for years, why would you lie to defend them? I guess you support their attacks on Kickstarter. That's the only logical explanation I can think of as to why you're defending such dishonest actions. You, and your fellow CONservatives, stand to gain something from its destruction and the persecution of their investors.

Re:They've been a target of CONservatives... (4, Interesting)

mark-t (151149) | about 2 months ago | (#46258241)

Or perhaps the person is simply ignorant of any evidence to support such claims which you apparently seem to possess in such abundance. I actually haven't seen anything to support it either, for that matter, so from where I sit, the allegation strikes me more as being an unprovable conspiracy theory, and I would consider the notion as improbable as well.

Suggesting that someone who simply disbelieves a criticism must somehow be lying to protect them is even at best a variant of ad-hominem, and at worst, indicative of a possibly less than clear grasp of what is actually real and what is not.

Re:They've been a target of CONservatives... (0)

Anonymous Coward | about 2 months ago | (#46258319)

you sound like a faggot.

Re:They've been a target of CONservatives... (0)

Anonymous Coward | about 2 months ago | (#46258475)

You sound like you masturbate to Bea Arthur.

Re:They've been a target of CONservatives... (0)

Anonymous Coward | about 2 months ago | (#46259381)

As someone who masturbates to Bea Arthur, don't group me with that asshole.

at least .. (4, Insightful)

thephydes (727739) | about 2 months ago | (#46258095)

they did the right thing and contacted all the people who use KS and advised them to change their login. Unlike Adobe who still haven't contacted me....... With influence comes responsibility - KS has taken responsibility, Adobe never did.

Re:at least .. (1)

Anonymous Coward | about 2 months ago | (#46258155)

Unlike Adobe who still haven't contacted me....... With influence comes responsibility - KS has taken responsibility, Adobe never did.

Not only did Adobe contact me via E-mail very shortly after the breach but they also snail mailed me a physical letter about what happened.

Re: at least .. (1)

Anonymous Coward | about 2 months ago | (#46258171)

I got an email from Adobe about 3 months after the breach. Now that's a timely response!

Re:at least .. (5, Informative)

Jarik C-Bol (894741) | about 2 months ago | (#46258205)

Not only did Adobe email me and send me a letter about the whole thing, they gave me a free year subscription to Experian's identity theft protection services.Makes me wonder just how much info they lost about me.

Re:at least .. (0)

Anonymous Coward | about 2 months ago | (#46258685)

Agreed, I've already changed my amazon details but I'd like full details as to what was stolen

Re:at least .. (0)

Anonymous Coward | about 2 months ago | (#46258179)

Uh, pirates don't get notified. Duuuuh!

Besides, this place probably was owned long before the cops came and told them so. They take this information has to be free too far like just like any other RMS looney.

Re:at least .. (1)

Anonymous Coward | about 2 months ago | (#46258187)

I've backed several Kickstarter projects and I have not received an email.

Re:at least .. (2)

snemarch (1086057) | about 2 months ago | (#46258269)

Considering how many users KS have, there might still be a few mails in the outgoing queue?

I received the "uh oh, we've been hacked" mail yesterday 22.30, GMT+1.

Re: at least .. (0)

Anonymous Coward | about 2 months ago | (#46264745)

After the breach, Adobe forced me to change my password while Kickstarter only recommended to do so. Adobe's approach was safer on that point.

Was that ALL? (1)

Jane Q. Public (1010737) | about 2 months ago | (#46258133)

Kickstarter stores information about Amazon accounts and the like, too. This could be pretty serious.

AND, they should be held legally responsible. Really, as a society we have to start doing that.

Re:Was that ALL? (4, Informative)

dbc (135354) | about 2 months ago | (#46258175)

Ummmm.... no, Amazon stores your Amazon acount info. KS doesn't even store whole credit card numbers.

Re:Was that ALL? (2)

Jane Q. Public (1010737) | about 2 months ago | (#46258649)

"Ummmm.... no, Amazon stores your Amazon acount info. KS doesn't even store whole credit card numbers."

Um, yes. In order to actually operate a Kickstarter project, you are required to give them details of an Amazon account. They only accept and transfer money via Amazon.

You don't give them your password. But the other account details are more pieces of your personal puzzle that thieves can use to try to access various account(s) of yours.

Re:Was that ALL? (1)

_Shad0w_ (127912) | about 2 months ago | (#46258773)

Given you login to Amazon using your e-mail address...

Re:Was that ALL? (1)

Jane Q. Public (1010737) | about 2 months ago | (#46260961)

"Given you login to Amazon using your e-mail address..."

No, you're missing the point. This is how these hackers work, more or less:

1) They get your account information from one source. Preferably with password (as they did from Kickstarter).

2) They try that password on the various accounts they have information for. They can also try to brute-force your passwords, or use "social engineering" to get the password for an account or change it to one of their own.

3) Profit.

So, yeah... it can be damaging to even just have the name of your Amazon account.

German Security to the help (0)

Anonymous Coward | about 2 months ago | (#46268505)

Here in the land of Kraut and Wurst we had soemthing called "TAN List" in the past. Simply a sheet of paper with one-time-passwords. We used that to confirm banking transactions.

Very easy to make this scheme very secure. Why do we need electronic gadgets with half-baked security mechanisms ?

Re:Was that ALL? (2)

tlhIngan (30335) | about 2 months ago | (#46267479)

Um, yes. In order to actually operate a Kickstarter project, you are required to give them details of an Amazon account. They only accept and transfer money via Amazon.

No, they use Amazon PAYMENTS, which while requiring an Amazon account, does not need the originating site to know it.

What happens is KickStarter forwards your pledge amount to Amazon. Amazon then asks you to log in and find out your method of payment and all that. It then gives the site back a payment token. Kickstarter uses that payment token to withdraw against the authorized amount (up to the limit which you agreed to when you agreed to the payment - Amazon knows it from the originating site and displays it to you so no shenanigans can take place).

So no, Kickstarter does not know your Amazon account information. Of course, for a lot of people, their Kickstarter login email is the same as their Amazon login...

Re:Was that ALL? (1)

Jane Q. Public (1010737) | about 2 months ago | (#46269501)

"No, they use Amazon PAYMENTS, which while requiring an Amazon account, does not need the originating site to know it."

No shit, Sherlock. I was talking about the person who had the kickstarter project (the payee), not the people making payments. I said so.

Re:Was that ALL? (0)

Anonymous Coward | about 2 months ago | (#46268361)

Ummmm, no, Kickstarter had a Visa card number stored for me. I've already closed that account however. Anyway, most of the Kickstarter projects I have backed ended up being paid from PayPal which requires a different login. Never have used Amazon in association with Kickstarter.

No notification yet. (1)

klevin (11545) | about 2 months ago | (#46258195)

Hmm. I have a Kickstarter account, but I haven't gotten a notification email, so far.

Re:No notification yet. (1)

Anonymous Coward | about 2 months ago | (#46258219)

consider this article as a notification?

Re:No notification yet. (5, Interesting)

Mr Z (6791) | about 2 months ago | (#46258251)

The notifications seem to be going out in waves, slowly. I'm not sure why. Across three folks I know (including myself) with Kickstarter accounts, the emails themselves all seem to have gone out within minutes of each other, but one of them arrived just minutes ago.

I'm guessing with the volume of emails, it got throttled along the way. You can see this in the Received: headers:

Received: from o2.e2.kickstarter.com (o2.e2.kickstarter.com. [74.63.202.49])
by
xx.example.com with SMTP id xxxxxxxxxx
for <
username@example.com >;
Sat, 15 Feb 2014 21:49:50 -0800 (PST)
...
Received: by filter-219.sjc1.sendgrid.net with SMTP id
xxxxxxxxxx
Sat, 15 Feb 2014 21:18:46 +0000 (UTC)
Received: from MTEzNDg (unknown [10.42.83.122])
by localhost.localdomain (SG) with HTTP id
xxxxxxxxxx
for <no-reply@kickstarter.com>; Sat, 15 Feb 2014 21:18:46 +0000 (GMT)

Notice that the earlier time stamps (corresponding to when the emails were generated) are around 21:18 GMT, but the arrival timestamps are around 21:49 PST, about 8 and a half hours later. And that's about how far apart our emails arrived. I imagine more are in the queue.

(And yay crapflooders for making it impossible to format things usefully in Slashdot comments.)

As far as passwords go, I'm not worried about anyone actually hacking my Kickstarter password. It's a password unique to Kickstarter, and it was generated at random.org as a 13 character mixed-case alphanumeric password. Good luck reverse-hashing that. Even if you do, it won't get you much.

Re:No notification yet. (0)

Anonymous Coward | about 2 months ago | (#46262009)

Sendgrid is definitely throttling. They are an SMTP service provider. Mandrill and Mailgun are other such providers. They generally throttle based on heuristics associated with your account - how long it's been active, good vs bad history of email on your account, rate you normally send at, and what you spend. Have done several projects with Sendgrid and Mandrill, never had any problems with either.

how to piss off an alien/human hybrid (-1)

Anonymous Coward | about 2 months ago | (#46258227)

The 'beasts' share the same scent - how to piss off an alien/human hybrid

        the hybrids carrying filthy spawn (like in the days of Noah) are easy to SNIFF out, literally, they all smell the same when you're in the proper state of mind.

        some of them have eyes which appear to be bugging out of their face.

        even if you can't detect the scent of the hybrids, or 'beasts', inhale deeply whenever the hybrids are close, don't express any emotion, just keep inhaling deeply and make your facial expression be that of deep contemplation.

        when you do this, they know that you know what their true reality is - it's like the movie THEY LIVE where Nada sees the truth through the glasses and confronts them.

        don't confront, just inhale deeply. maybe shake your head and laugh, mumble about stupid aliens but nothing deep.

Re:how to piss off an alien/human hybrid (0)

Anonymous Coward | about 2 months ago | (#46258647)

Beta, you say?

My email was waiting for me (0)

Anonymous Coward | about 2 months ago | (#46258255)

Welcome to the decade where big corps realize they can't skimp on security anymore because it costs the banks more time and money to issue cards, and that raises rates for everyone else.

So (1)

Dunbal (464142) | about 2 months ago | (#46258487)

What does this mean for Star Citizen funders? lol

Re:So (1)

nschubach (922175) | about 2 months ago | (#46258555)

The same as it does for any other Kickstarter founder... Actually it may be less since Star Citizen started (and obtained) their goal independently before going on Kickstarter.

PKI (2, Insightful)

Anonymous Coward | about 2 months ago | (#46258519)

Why are we not using public private key infrastructure for online logins yet????? It's 2014, most people have been online for nearly twenty years and human beings are still using passwords that have to (generally speaking) be memorized which leads to poor password choices and repetition. This problem should have been solved YEARS ago.

Re:PKI (0)

Anonymous Coward | about 2 months ago | (#46258711)

The same reason sane people aren't using bitcoin: because a secret you store on your hard drive is not much safer than a secret you send encrypted over the 'net. Change the popular method, and you change the popular attacks. It's all an arms race, and if the social problem of selfishness can only be mitigated against so far with technical solutions. There was a time (pre-'80s, obv.) when large groups of intelligent people thought the very idea of computer security was ethically questionable.

Re:PKI (1)

_Shad0w_ (127912) | about 2 months ago | (#46258785)

Why would you store the secret on your hard drive? Why wouldn't you use something like an eToken or any other PKI token?

Re:PKI (3, Insightful)

Molt (116343) | about 2 months ago | (#46259055)

USB tokens won't work at the moment, too many people accessing the internet using phones and tablets without USB ports.

Re:PKI (4, Interesting)

cbhacking (979169) | about 2 months ago | (#46259185)

Excuse me? A secret that never leaves my computer, at least not in any plaintext form (encrypt your private keys before exporting them, people!), is *way* more secure than a secret I need to provide over the Internet (even in an encrypted channel) and that the host I'm connecting to needs to store (even in a non-reversibly-encrypted form). If you don't think so, then there is something *very* wrong with the security of your box...

The way we do passwords now, even if you don't re-use the password, a single compromised host gives the attacker enough information to begin attempting to determine the login credentials of every single user on the site (and in many cases, those same credentials can be used on other sites too). Additionally, attacks can be made much faster using common password dictionaries and so on. In the case of a public-key system, all that the attacker would get is the public keys of every user on the site, but without the corresponding private keys - which they will never obtain from the compromised server, because the client never exposes them to the network - they can't obtain any user's login credentials. True, in the case of persistent malware on the server an attacker could hijack a user's session after login, but they would be unable to prevent the user from logging out or to log in again afterward, and they would be unable to try re-using credentials on other sites the user may have accounts on.

In fact, using public-key crypto is almost strictly as secure, or more so, than passwords. Sure, an attacker who targets a specific user's machine could potentially steal their secret key when the user unlocks it to log into a site, or steal it in its at-rest form (hopefully, encrypted with a password) and start brute-forcing that encryption. However, such an attacker could also have stolen a user's password database, or keylogged their password as they typed it into a site. If you just want to attack a single user, and you have the ability to compromise one of their hosts, it doesn't matter which system they use. However, if you can only attack a server (as is usually the case), public-key systems are way safer for the users.

The problem, of course, is how the user moves their secret key(s) from client to client. These days, almost everybody uses a number of different clients (your PCs, your workstations, your phone and/or tablet, your friends' phones, the library's PC, whatever) to access secured resources. There are a number of possible ways to transfer the private key(s) between all those things, but each has downsides. Oh, and the little problem of there not being any standard way (other than TLS client certs, which are not widely supported and arguably not the correct tool here) to use public keys to authenticate with a site right now, so something would need to be standardized and then implemented widely before it would be useful.

Re:PKI (2)

brunes69 (86786) | about 2 months ago | (#46259623)

I have a better question. Why does Kickstarter store IDs or passwords AT ALL. Why do they not mandate federation.

They have Facebook login, but no Google or OpenID login. Why? And if I am using Facebook login then why do I STILL need to create a stupid Kickstarter.com password, I should be able to ONLY use Facebook.

Why do so few websites do ID federation properly. It is simply one of the best security options we have today, it makes life SO MUCH EASIER for the user, yet no sites properly use it.

Re:PKI (0)

Anonymous Coward | about 2 months ago | (#46261523)

I have a better question. Why does Kickstarter store IDs or passwords AT ALL. Why do they not mandate federation.

They have Facebook login, but no Google or OpenID login. Why? And if I am using Facebook login then why do I STILL need to create a stupid Kickstarter.com password, I should be able to ONLY use Facebook.

Why do so few websites do ID federation properly. It is simply one of the best security options we have today, it makes life SO MUCH EASIER for the user, yet no sites properly use it.

I don't have Facebook, or Google, or OpenID, or any of those other damn things. I've visited quite a few places where those type of logins were the only way to access the site -- including several online merchants. They didn't get my money. The non-merchant sites didn't get my witty comments or pithy insights.

Since I got the email from Kickstarter, several of my smaller accounts at places have apparently been probed. They seem to have quickly learned that I don't use the same password everywhere, and moved on to whoever was next on their list.

Imagine if instead of Kickstarter getting breached, it was Facebook that was attacked successfully. All those "federated" sites would just be handed to the attackers all at the same time. You can put your faith in Zukerberg; I'll remain a paranoid outlying loonie who keeps everything separate. (oh... but it's not paranoia if they are out to get you....)

Re:PKI (0)

Anonymous Coward | about 2 months ago | (#46262279)

I should be able to ONLY use Facebook.

Facebook is a vile shitstain on the ass of the internet. Anything that makes it easier for Facebook users to leave their ghetto and dirty real people is deplorable.

Re:PKI (1)

godel_56 (1287256) | about 2 months ago | (#46262519)

I have a better question. Why does Kickstarter store IDs or passwords AT ALL. Why do they not mandate federation.

They have Facebook login, but no Google or OpenID login. Why? And if I am using Facebook login then why do I STILL need to create a stupid Kickstarter.com password, I should be able to ONLY use Facebook.

Why should we have a system with a single point of failure, when it makes it much harder for intruders if they have to break into every site and account separately?

Also, fuck Google, Facebook etc. They already have more than enough information about me.

My anus felt breached (-1)

Anonymous Coward | about 2 months ago | (#46258571)

When Beta first reared its head on this hallowed domain.

Re: My anus felt breached (0)

Anonymous Coward | about 2 months ago | (#46259069)

I think you are using beta the wrong way...

hello word (-1)

Anonymous Coward | about 2 months ago | (#46258839)

Thank you, I’ve just been searching for info approximately this subject for a while and yours is the greatest I’ve came upon till now. But, what in regards to the conclusion? Are you positive concerning the supply?|What i don’t realize is in reality how you’re no longer actually a lot more neatly-preferred than you might be right now. You’re so intelligent. and if you have free time
    http://mahjongdimensions.info/ administrators

Hash (0)

Anonymous Coward | about 2 months ago | (#46259223)

Encrypted passwords, how? Do they mean salted and hashed, if so, then the summary should say so.

Encrypted but unsalted passwords stored (0)

Anonymous Coward | about 2 months ago | (#46259543)

From what I've been able to understand from communication with Kickstarter and from their mail, the passwords weren't individually salted.

Storing encrypted passwords without salt should get whoever's responsible for their security FIRED. That's truly a rookie mistake. Why? Because it's vulnerable to dictionary attacks.

Re: Encrypted but unsalted passwords stored (0)

Anonymous Coward | about 2 months ago | (#46259581)

They were salted.

Re: Encrypted but unsalted passwords stored (0)

Anonymous Coward | about 2 months ago | (#46259805)

According to the email, they note that "older" ones were salted. "Newer" ones use bcrypt.

Re: Encrypted but unsalted passwords stored (2)

Xenx (2211586) | about 2 months ago | (#46259871)

Not sure if arguing that they didn't specifically mention newer ones were salted, but bcrypt itself salts the passwords.

Don't forget email addresses too (1)

Anonymous Coward | about 2 months ago | (#46259829)

Kickstarter was nice enough to require you to use email as your login!

Please change your password (2)

viperidaenz (2515578) | about 2 months ago | (#46261141)

and your email address
and your phone number
and your mailing address.

Thank you for being a part of Kickstarter.

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...