Will you at some point consider telling us how the compromise happened? This information is useful even at a very high level; it's useful to know whether companies are breached by leaked admin passwords, or inadequately protected admin consoles, or in-app appsec faults like SQLI.
Best of luck dealing with this incident. You're in great company, unfortunately. :|
Making statements like "we don't store credit-cards" and "no credit card data was breached" are feel good statements to minimize brand impact. I find them difficult to accept and a bit disingenuous. How do they know their logs were not modified? Are they sure the attacker didn't insert their own markup or JavaScript to hijack the login or payment form or present a fake payment page? That type of attack can be done via SQLi, XSS Type 2, and a number of other vectors. I understand where they are at & I've been there, but when I was there, I recognized that sometimes there are no answers and all that can be done is to apologize and tell people to change their passwords and watch out for unauthorized charges.
From here forward, I will consider any disclosure involving stolen passwords that does not include a description of the password hashing/encryption/etc mechanism to mean "plaintext-equivalent passwords were taken".
Edit: Changed "plaintext passwords were taken" to "plaintext-equivalent passwords were taken"
Hi, I work at Kickstater. When communicating with millions of people its important to balance technical explanations against the desire to communicate your message in common sense terms.
That said, we're being very public with how we hashed them: older Kickstarter passwords used using SHA-1 digested multiple times. More recent passwords are encrypted with bcrypt.
Hi! I work at Kickstarter. To answer everyone's question regarding the encryption used for our passwords: old passwords used salted SHA1, digested multiple times. More recent passwords use bcrypt.
I see that when I log into Kickstarter, there's a banner that recommends changing my password. That's pretty good, but why not take it a step further by invalidating all the passwords and forcing a password change when someone logs in?
Thanks for sharing. Curious: at the time of conversion, why not run everything through bcrypt, rather than keeping a dual system? (This way, the old passwords get validated with ->SHA1->digest->bcrypt, and the new passwords get validated with ->bcrypt, but either way everything in the system is bcrypted.)
My guess is that it was a CPU cost decision but I'm curious anyway.
Ugh. That reset procedure did not play well with LastPass.
I logged in (old password), hit change password (old password), then had LastPass generate a new password, which it handily saved over the old one in LastPass. Hit Save. And then the site asked me for the old password a third time.
Yep, I had almost exactly the same thing using a different password manager. I had to find another copy of the password storage file on a different machine and bring the old password over from it.
Note to Kickstarter: It is not good UX to ask for the new password, and then the old password. But that's likely the least of their worries right now.
>For additional help with password security, we recommend tools like 1Password and LastPass.
It's really too bad that they are recommending expensive, proprietary, commercial apps for this when free, open source alternatives like KeePass exist. If users are unconvinced on the value of a password vault, charging money for it certainly isn't going to encourage adoption.
It's really too bad that you recommend an app that is practically garbage user-experience-wise compared to LastPass and 1Password.
If users aren't convinced of the value of a password vault, a god-awful piece of software certainly isn't going to encourage adoption even if it's "free"
How secure is that? Couldn't they just as easily figure out your KeePass password (providing they know you are using it, and that reversing the KeePass hash isn't any more difficult than reversing the normal one.)
I'm pretty active on Kickstarter, backing multiple projects.
What's really worrying is that the Kickstarter folk didn't detect the breach themselves. It was law enforcement (I'm assuming FBI) who contacted them about it.
On the security notice, Kickstarter writes they "set a very high bar" on how they serve their community. What a load of crock!. If they had a high bar this would never have happened. I wish they wouldn't rub salt in the wound by publishing such blatant rubbish.
I'm extremely disappointed with Kickstarter right now.
You should prepare to be extremely disappointed by almost everyone you do business with online. At least Kickstarter was alerted by law enforcement and not Pastebin.
Exactly. You are in horrible shape if it's the police alerting you to this. My policy is "You lose my info, you lose my business". I deleted my account.
"No credit card data of any kind was accessed by hackers. "
Ironically there is at least a clearly defined system and procedure setup to mitigate a stolen credit card number. Essentially most if not all credit card companies will wipe out any malicious charges and cheerfully replace your credit card. And hopefully if you have more than one card that's not even a problem that you have to wait.
All the other information though that is:
"some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords"
...well to me that's actually more of an issue. Ironically.
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.
No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.
To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.
We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.
Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at [email protected].
1. Have you leaked physical addresses that were provided to completed projects for shipping of the rewards?
2. Given the wording - "access to some of our customers' data" - will you provide a way to check if specific account was affected? Or was it "possibly all customer data"?
I had an incensed reaction to their email, which had only stated that the passwords were "encrypted". Not until I searched these comments here for the text "encrypt" did I learn that they actually hashed with bcrypt.
I humbly suggest all security notices like this that are sent in the future, if written with the word "encryption" rather than "hashing" for the layperson's sake, have an asterisk next to the word "encryption". At the bottom of the email, the explanation "hashing with {{algo}}" where "hashing" links to [1] would be included. Laypeople get their simple explanation, technical people don't get too angry. And some laypeople may click through the link and learn something.
Has anyone received this as an email (or any other notice besides reading it on their blog / news sites)? It looks like it may have been emailed to people running Kickstarter campaigns, but this really ought to be sent to all people with affected information (which sounds like all users). If they don't do that and/or expire passwords currently stored to require that users reset them, it's highly likely that a lot of users won't ever notice or change their credentials.
EDIT: I did just talk to someone who is not a campaign owner and received an email regarding this, so it does look like they're in flight.
When will big companies value personal information enough to encrypt it along with credit card information and hashing passwords? We encrypt all personal information at Miniand, and I do realise it makes it very difficult to query data, but I believe that's an inconvenience that needs to be accepted.
We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.
Please don't make such recommendation. This won't change the fact that password is stored in your database. In a security breach, don't ever make such recommendation.
In fact, the alert doesn't tell me exactly what happened. Are just two accounts stolen from phishing attack? Or was it a server breached? We need that detail.
For disclosure, please do the following:
1. time of incident reported and the time of impact.
2. how the incident was reported
3. the severity of the incident
4. how the incident happened
5. resolution
I don't mind having a first notice and then follow up by a more detailed post, but don't forget...
Huh? I don't follow this at all. Why should they not recommend password managers? More people should, in fact, be using them.
We'd all like answers to every question we could have about the compromise. As you can see upthread, they've already committed to providing some of those answers. In the meantime, they're probably slammed with other things, and you aren't actually entitled to answers to all of your questions. You are obviously free to take your business elsewhere if their answers aren't satisfactory.
"however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one."
I own my domain, and use distinctive user names for registering at sites like this. I'll have to start checking my spam folder for the address I used (which I hadn't just cleaned it out...).
Time to get LaunchKey (https://launchkey.com). Seriously, any Kickstarter employee wants to talk about integration and protecting users contact us. LaunchKey is password-less multi-factor authentication. These user data breaches don't have to include the password hysteria and weaknesses.
Didn't store my credit card info with them, used a long, random, unique password from a password gen, not terribly concerned. The peace of mind this buys me is absolutely worth the hassle of setting it all up, and the accusations of paranoia from more relaxed friends and family.
[+] [-] tptacek|12 years ago|reply
Best of luck dealing with this incident. You're in great company, unfortunately. :|
[+] [-] mecredis|12 years ago|reply
Yes, we're hoping to do a post-mortem soon on our engineering blog, so that others can learn from our experience.
[+] [-] patcheudor|12 years ago|reply
[+] [-] jeditobe|12 years ago|reply
kickstarter.com/projects/thorium/thorium-core-cloud-desktop/backers
[+] [-] carbocation|12 years ago|reply
Edit: Changed "plaintext passwords were taken" to "plaintext-equivalent passwords were taken"
[+] [-] mecredis|12 years ago|reply
That said, we're being very public with how we hashed them: older Kickstarter passwords used using SHA-1 digested multiple times. More recent passwords are encrypted with bcrypt.
[+] [-] roel_v|12 years ago|reply
[deleted]
[+] [-] zavi|12 years ago|reply
[+] [-] mecredis|12 years ago|reply
[+] [-] itafroma|12 years ago|reply
[+] [-] carbocation|12 years ago|reply
My guess is that it was a CPU cost decision but I'm curious anyway.
[+] [-] r0muald|12 years ago|reply
[+] [-] tmoertel|12 years ago|reply
[+] [-] RyanZAG|12 years ago|reply
Any chance you could give us information on what kind of attack vector was used?
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] falcolas|12 years ago|reply
[+] [-] lettergram|12 years ago|reply
[+] [-] larsberg|12 years ago|reply
I logged in (old password), hit change password (old password), then had LastPass generate a new password, which it handily saved over the old one in LastPass. Hit Save. And then the site asked me for the old password a third time.
Whoops! I don't have that anymore...
[+] [-] SideburnsOfDoom|12 years ago|reply
Note to Kickstarter: It is not good UX to ask for the new password, and then the old password. But that's likely the least of their worries right now.
[+] [-] jyxent|12 years ago|reply
[+] [-] PaulKeeble|12 years ago|reply
[+] [-] dublinben|12 years ago|reply
It's really too bad that they are recommending expensive, proprietary, commercial apps for this when free, open source alternatives like KeePass exist. If users are unconvinced on the value of a password vault, charging money for it certainly isn't going to encourage adoption.
[+] [-] mannkind|12 years ago|reply
If users aren't convinced of the value of a password vault, a god-awful piece of software certainly isn't going to encourage adoption even if it's "free"
"free" if your time is worth nothing
[+] [-] tptacek|12 years ago|reply
[+] [-] theboss|12 years ago|reply
Also they run in your browser which mean the client side and crypto code is easily recoverable
[+] [-] Houshalter|12 years ago|reply
[+] [-] arjn|12 years ago|reply
What's really worrying is that the Kickstarter folk didn't detect the breach themselves. It was law enforcement (I'm assuming FBI) who contacted them about it.
On the security notice, Kickstarter writes they "set a very high bar" on how they serve their community. What a load of crock!. If they had a high bar this would never have happened. I wish they wouldn't rub salt in the wound by publishing such blatant rubbish.
I'm extremely disappointed with Kickstarter right now.
[+] [-] tptacek|12 years ago|reply
[+] [-] couchdive|12 years ago|reply
[+] [-] larrys|12 years ago|reply
Ironically there is at least a clearly defined system and procedure setup to mitigate a stolen credit card number. Essentially most if not all credit card companies will wipe out any malicious charges and cheerfully replace your credit card. And hopefully if you have more than one card that's not even a problem that you have to wait.
All the other information though that is:
"some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords"
...well to me that's actually more of an issue. Ironically.
[+] [-] f055|12 years ago|reply
[+] [-] mecredis|12 years ago|reply
[+] [-] areeb|12 years ago|reply
On Wednesday night, law enforcement officials contacted Kickstarter and alerted us that hackers had sought and gained unauthorized access to some of our customers' data. Upon learning this, we immediately closed the security breach and began strengthening security measures throughout the Kickstarter system.
No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on your account.
While no credit card data was accessed, some information about our customers was. Accessed information included usernames, email addresses, mailing addresses, phone numbers, and encrypted passwords. Actual passwords were not revealed, however it is possible for a malicious person with enough computing power to guess and crack an encrypted password, particularly a weak or obvious one.
As a precaution, we strongly recommend that you change the password of your Kickstarter account, and other accounts where you use this password.
To change your password, log in to your account at Kickstarter.com and look for the banner at the top of the page to create a new, secure password. We recommend you do the same on other sites where you use this password. For additional help with password security, we recommend tools like 1Password and LastPass.
We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.
Kickstarter is a vibrant community like no other, and we can’t thank you enough for being a part of it. Please let us know if you have any questions, comments, or concerns. You can reach us at [email protected].
Thank you,
Yancey Strickler Kickstarter CEO
[+] [-] huhtenberg|12 years ago|reply
2. Given the wording - "access to some of our customers' data" - will you provide a way to check if specific account was affected? Or was it "possibly all customer data"?
Thanks
[+] [-] sillysaurus2|12 years ago|reply
More seriously, why is the social convention to lie in these situations? Why not just say what methods they were actually using?
I suppose it's possible they were storing encrypted passwords. But then an attacker would be able to break all of them at once.
[+] [-] mcgwiz|12 years ago|reply
I humbly suggest all security notices like this that are sent in the future, if written with the word "encryption" rather than "hashing" for the layperson's sake, have an asterisk next to the word "encryption". At the bottom of the email, the explanation "hashing with {{algo}}" where "hashing" links to [1] would be included. Laypeople get their simple explanation, technical people don't get too angry. And some laypeople may click through the link and learn something.
[1] http://en.wikipedia.org/wiki/Cryptographic_hash_function#Pas...
[+] [-] LukeB_UK|12 years ago|reply
[+] [-] toyg|12 years ago|reply
It is indeed troubling that KS didn't detect the breach in the first place (or if they did, they kept it mum until forced by the authorities).
[+] [-] yeukhon|12 years ago|reply
[+] [-] unknown|12 years ago|reply
[deleted]
[+] [-] akerl_|12 years ago|reply
EDIT: I did just talk to someone who is not a campaign owner and received an email regarding this, so it does look like they're in flight.
[+] [-] beefsack|12 years ago|reply
[+] [-] yeukhon|12 years ago|reply
Please don't make such recommendation. This won't change the fact that password is stored in your database. In a security breach, don't ever make such recommendation.
In fact, the alert doesn't tell me exactly what happened. Are just two accounts stolen from phishing attack? Or was it a server breached? We need that detail.
For disclosure, please do the following:
1. time of incident reported and the time of impact.
2. how the incident was reported
3. the severity of the incident
4. how the incident happened
5. resolution
I don't mind having a first notice and then follow up by a more detailed post, but don't forget...
[+] [-] tptacek|12 years ago|reply
We'd all like answers to every question we could have about the compromise. As you can see upthread, they've already committed to providing some of those answers. In the meantime, they're probably slammed with other things, and you aren't actually entitled to answers to all of your questions. You are obviously free to take your business elsewhere if their answers aren't satisfactory.
[+] [-] Rapzid|12 years ago|reply
Aaaannnnddddd I'm guessing they lost the salt >.<
[+] [-] Ssyeo86|12 years ago|reply
[+] [-] hga|12 years ago|reply
[+] [-] devinegan|12 years ago|reply
[+] [-] urethra|12 years ago|reply
[+] [-] rybosome|12 years ago|reply