CROWDFUNDING WEBSITE Kickstarter has been breached by hackers that lifted users' personal details and encrypted passwords.
The firm was notified of the hack by law enforcement officials. It wasted no time and alerted its members via email on Sunday.
That email was apologetic, and the firm said it was cleaning up and shoring up its security. It admitted an incident of unauthorised access, and said that "encrypted passwords" were stolen. It also published a blog post about the attack.
"On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system," said the statement emailed to users and signed by Kickstarter CEO Yancey Strickler.
"While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one."
Because passwords can be guessed, and because some have been pinched. Strickler advised users to change their Kickstarter credentials, as well as settings on other websites where they used the same password. He recommended the password generating services 1Password and Lastpass.
As is traditional in such circumstances, the firm apologised for what happened and promised that no stone would be left unturned in its investigations.
"We're incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again," added Strickler.
"Kickstarter is a vibrant community like no other, and we can't thank you enough for being a part of it."
Keith Bird, UK managing director of security firm Check Point said that the firm is taking the right approach, and hoped that its customers will as well.
"Kickstarter has done the right things following the breach, notifying users and advising them to reset passwords via its website. It's wise to do this even though Kickstarter stored its passwords in encrypted form," he said.
"But users should be very cautious about clicking on links in any follow-up emails that they receive that appear to come from Kickstarter or related organisations, no matter how plausible the emails appear to be." µ