Kickstarter Security Breach Exposes Customer Data

New submitter jbov writes "Kickstarter members received an e-mail at about 16:40 EST notifying them of a security breach. According to the e-mail, information including user names, encrypted passwords, mailing addresses, and phone numbers may have been revealed. Kickstarter members were urged to change their passwords. 'Older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt.' Kickstarter claims that credit card information was not accessed during the breach. According to Kickstarter, law enforcement officials contacted the company on Wednesday night and alerted them that 'hackers had sought and gained unauthorized access to some of our customers' data.' Upon learning of the breach, Kickstarter closed the security breach and began strengthening security measures."

Re:at least ..

[Jarik+C-Bol]

Not only did Adobe email me and send me a letter about the whole thing, they gave me a free year subscription to Experian's identity theft protection services.Makes me wonder just how much info they lost about me.

Re:No notification yet.

[Mr+Z]

The notifications seem to be going out in waves, slowly. I'm not sure why. Across three folks I know (including myself) with Kickstarter accounts, the emails themselves all seem to have gone out within minutes of each other, but one of them arrived just minutes ago.

I'm guessing with the volume of emails, it got throttled along the way. You can see this in the Received: headers:

Received: from o2.e2.kickstarter.com (o2.e2.kickstarter.com. [74.63.202.49])
by xx.example.com with SMTP id xxxxxxxxxx
for < username@example.com >;
Sat, 15 Feb 2014 21:49:50 -0800 (PST)
...
Received: by filter-219.sjc1.sendgrid.net with SMTP id xxxxxxxxxx
Sat, 15 Feb 2014 21:18:46 +0000 (UTC)
Received: from MTEzNDg (unknown [10.42.83.122])
by localhost.localdomain (SG) with HTTP id xxxxxxxxxx
for <no-reply@kickstarter.com>; Sat, 15 Feb 2014 21:18:46 +0000 (GMT)

Notice that the earlier time stamps (corresponding to when the emails were generated) are around 21:18 GMT, but the arrival timestamps are around 21:49 PST, about 8 and a half hours later. And that's about how far apart our emails arrived. I imagine more are in the queue.

(And yay crapflooders for making it impossible to format things usefully in Slashdot comments.)

As far as passwords go, I'm not worried about anyone actually hacking my Kickstarter password. It's a password unique to Kickstarter, and it was generated at random.org as a 13 character mixed-case alphanumeric password. Good luck reverse-hashing that. Even if you do, it won't get you much.