Kickstarter, the website that helps people like Zach Braff crowdfund private artistic and commercial projects, said that it was hacked and some user information compromised.
In a blog post on Saturday, the company said it learned about the breach on Wednesday, and said that usernames, email addresses, mailing addresses, phone numbers and encrypted passwords may have been exposed. Kickstarter recommended users change their passwords for safety. The company was at pains to emphasize that "No credit card data of any kind was accessed by hackers. There is no evidence of unauthorized activity of any kind on all but two Kickstarter user accounts."
Kickstarter also explained that "older passwords were uniquely salted and digested with SHA-1 multiple times. More recent passwords are hashed with bcrypt," and that it does not store credit card information. The firm also included a rather heartfelt apology in the statement:
We’re incredibly sorry that this happened. We set a very high bar for how we serve our community, and this incident is frustrating and upsetting. We have since improved our security procedures and systems in numerous ways, and we will continue to do so in the weeks and months to come. We are working closely with law enforcement, and we are doing everything in our power to prevent this from happening again.
Still, the company has gotten some flack for their delay in reporting the incident. Security expert Graham Cluley wrote on WeLiveSecurity.com that he suspects Kickstarter was trying to bury the news by posting the statement in the middle of a holiday weekend — and that the decision may have negative ramifications for users:
The delay does mean that the criminals have four days’ head start over anyone who had their details exposed by the security breach. During those four days – if you were unfortunate enough to be using your Kickstarter password on other websites – the criminals could have accessed your other online accounts, and stolen information from them. Furthermore, there was nothing to stop them from spamming you with malicious links or phishing attacks, as they now know your email address and other pieces of personal information.
Some Kickstarter users agree with Cluley, and made their feelings clear on Twitter:
@kickstarter Perhaps you should have told us that out passwords were stolen when it happened THREE DAYS AGO? How very impressive of you...— Strange Tea (@Strange_Tea) February 15, 2014
Others wondered why the company didn't force users to change their passwords as a security measure.
Cluley added that the fact that Kickstarter didn't discover the breach on its own should serve as a red flag for the company, which might have to up its security system.
The company did, however, receive some accolades from users for transparency, as they did eventually email most of their users directly. As hacking becomes more prevalent, it seems all users can hope for is an apology and assume they are always at some risk.