- SMB Spotlight
Hackers have stolen customer information from crowdfunding site Kickstarter, marking the latest wave in the ongoing cybercrime pandemic.
Kickstarter CEO Yancey Strickler confirmed the data breach in a statement, promising affected customers that their bank details were not compromised during the raid.
"On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorised access to some of our customers' data," read the statement.
"No credit card data of any kind was accessed by hackers. There is no evidence of unauthorised activity of any kind on your account."
Strickler said the hackers did manage to steal some customer details during the raid, but promised that most accounts should remain safe as key items, such as passwords, were encrypted.
"While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers and encrypted passwords," read the statement.
"Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one."
He added that users should change their passwords as a precautionary measure.
Trend Micro vice president of security research Rik Ferguson told V3 that while encryption will offer protection to Kickstarter customers using complex passwords, some users could still be vulnerable.
"It does look like it was a unique salt and multiple passes of the SHA-1 hashing algorithm, which while not the best is certainly still relatively resistant to rainbow table-based attacks, meaning the recipient of the data will be forced to try brute force," he said.
"[This] of course [means] that those passwords which are least complex will be first to fall. Unfortunately we have seen abundant evidence that far too many internet users are still choosing simple passwords."
Check Point's UK managing director Keith Bird added that the breach could be doubly dangerous as hackers could use it as an opportunity to target Kickstarter customers with follow-up phishing attacks.
"Users should be very cautious about clicking on links in any follow-up emails that they receive that appear to come from Kickstarter or related organisations, no matter how plausible the emails appear to be. There's a real risk that the details stolen in the hack may be used in phishing attacks to try and harvest more personal data," he said.
Strickler said Kickstarter is working with law enforcement to catch the hackers and is implementing a wave of new measures to improve its security to protect its customers from further attacks.
"We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again," he said.
Kickstarter is one of many companies to experience data breaches in recent weeks. Hackers compromised 2,239 Tesco customer accounts during a cyber raid earlier in February.