Kickstarter picks Saturday to tell users they've been hacked
If you want to share bad news, send it along on the Saturday of a long weekend. Kickstarter has been hacked, and its 5.6 million user-investors put at risk for identity theft, the firm told customers in an email sent on Saturday.
Hackers may have stolen usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords, the firm said. It said that financial information, such as credit cards, was not compromised.
Kickstarter learned of the hack when it was told by "law enforcement officials" on Wednesday, according to the email, which was signed by Kickstarter CEO Yancey Strickler. According to an accompanying blog post, the firm waited until the weekend to tell users because ...well, he didn't exactly explain why, but said the firm "notified everyone as soon we had thoroughly investigated the situation."
Sign up for Bob Sullivan's free email newsletter.
While the stolen passwords were encrypted, Strickler wrote that users should change their passwords, because "it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one." Kickstarter investors who user that same password at other sites are urged to change those passwords, too. Typically, when hackers steal a hoard of usernames and passwords from any site, they immediately try those combinations on large, popular sites, such as Amazon.com.
Kickstarter is a popular crowdfunding website that matches small investors with a wide range of entrepreneurs from restaurateurs to filmmakers. The firm's website says 5.6 million people have pledged funding on the site to 56,000 projects since its launch in 2009.
Add Kickstarter to the list of firms that have been forced to send what I call "Dear John data Letters," to its users. "We lost your data, we're sorry. Best wishes," these notes say. The notes are "never ending," lamented a reader who shared his Kickstarter email with me.
Javelin Strategy & Research recently reported a sharp rise in identity theft, with 13.1 million victims last year.
"We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting," Strickler wrote. "We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again."